Re: About how to protect network resources in LDAP environment?

To: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>, debian-security@lists.debian.org
Subject: Re: About how to protect network resources in LDAP environment?
From: Mike Mestnik <cheako@visi.com>
Date: Sat, 28 Aug 2010 20:29:50 -0500
Message-id: <[🔎] AANLkTim6e-YGcP-Aw7j8tD5vzUjPB=eUy=ojU=hLQ2GQ@mail.gmail.com>
In-reply-to: <[🔎] 201008280308.14942.bss@iguanasuicide.net>
References: <[🔎] 4C77E29A.70204@gmail.com> <[🔎] AANLkTimu03MozP8HQ1MgCgaJ_eb_BcF_ofOVCFks4pej@mail.gmail.com> <[🔎] 4C77F5CA.6030609@gmail.com> <[🔎] 201008280308.14942.bss@iguanasuicide.net>

On Sat, Aug 28, 2010 at 3:08 AM, Boyd Stephen Smith Jr.
<bss@iguanasuicide.net> wrote:
> In <[🔎] 4C77F5CA.6030609@gmail.com>, Min Wang wrote:
>>Zaar Hai wrote:
>>> On Fri, Aug 27, 2010 at 7:06 PM, Min Wang <ser.basis@gmail.com> wrote:
>>>> user1 can log in as local root on Linux PC1,
>>>> Even though as root, user1 can not rm /home/user2,
>>>> but he can su - user2 on Linux PC1 then rm something.
>>>
>>> You need NFS4 with gssapi. This way to access someone's file you need
>>> an appropriate (his) credentials from KDC (which will be hosted near
>>> by your LDAP server).
>>
>>Hi
>>thanks.  I'm totally a newbie to this nfs4/gssapi/kerberos.
>>
>>(1) does this approach
>>
>>prevent user1-> root ( su-> ) user2?
>
> Yes. "su" does not grant Kerberos credentials.
>
Can't root just read/steal and even use sockets/fifos/pipes owned by
all other users?  Any Kerberos credentials used on the local system
would also be usable by root.

>>(2) Or we need to change to use Kerberos instead of LDAP/PAM?
>
> I believe you can do "just" your NFS authentication with Kerberos and continue
> using LDAP/PAM for most authentication; I have not tried that though.
>
>>(3) And In the kerberosized environment,can the local root su to
>>networked user2?
>
> Yes and no.  The local system will "trust" su, so that root can become any
> user the local system recognizes.  However, network applications that use the
> gssapi (or other Kerberos methods) will require credentials granted by the
> Kerberos system in order to take action as a Kerberos user.
>
> Old-style NFS mostly trusts the local system to identify the user, which is
> why it is mostly only secure if "root" is shared between the NFS server and
> all its clients.
> --
> Boyd Stephen Smith Jr.                   ,= ,-_-. =.
> bss@iguanasuicide.net                   ((_/)o o(\_))
> ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
> http://iguanasuicide.net/                    \_/
>



-- 
Mike Mestnik
Technical Team
___
Nagios Enterprises, LLC
Email: mmestnik@nagios.com
Web: www.nagios.com

Reply to:

Follow-Ups:
- Re: About how to protect network resources in LDAP environment?
  - From: "Bernhard R. Link" <brlink@debian.org>
- Re: About how to protect network resources in LDAP environment?
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>

References:
- About how to protect network resources in LDAP environment?
  - From: Min Wang <ser.basis@gmail.com>
- Re: About how to protect network resources in LDAP environment?
  - From: Zaar Hai <haizaar@haizaar.com>
- Re: About how to protect network resources in LDAP environment?
  - From: Min Wang <ser.basis@gmail.com>
- Re: About how to protect network resources in LDAP environment?
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>

Prev by Date: Re: About how to protect network resources in LDAP environment?
Next by Date: Re: About how to protect network resources in LDAP environment?
Previous by thread: Re: About how to protect network resources in LDAP environment?
Next by thread: Re: About how to protect network resources in LDAP environment?
Index(es):
- Date
- Thread