[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting admin privileges

Mark Cooke <mark@mmebs.co.uk> writes:
MC> If I think this is what you want then all you would be is on the
MC> server that is exporting the NFS shares, remove 'no_root_squash'
MC> from the /etc/exports file on the shares you want to export

That doesn't solve the problem of user A poking at user B's file.
Assume a shared passwd file; then user A does 'su; su B' and can now
get at any of B's files on the NFS server.

If this is really an issue, you might consider switching away from NFS
to something more reputable, perhaps AFS.  I believe you can still buy
AFS if your company is into that sort of thing, or you can use Open
AFS (http://www.openafs.org/, also Debian packages in
testing/unstable).  This is kind of a major step, though, and requires
a fair bit of infrastructure setup.  (For example, when you log in,
you need to arrange to acquire AFS tokens, or you can't get at your
files; AFS-clueful people I think are also a little harder to come by.)

David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to: