Re: Securing NFS
On Fri, 19 Aug 2005, Laurent wrote:
> Exporting the whole /home directory would put data security at risk
> since creating an account with the 'right' uid on a workstation would
> grant access to user files.
i assume you're looking for:
- only users can see the files they own/create, and
cannot see others files ...
- if more than one person has "group" permissions,
there is no way to prevent them from looking at each
others data if its on the same server
- never export /home if you're worried ...
and export /home/user1 only to user1 and /home/usr2 to user2
> My question is: How to allow any user to use any workstation
> (Authentication through LDAP) without putting data security at risk,
that implies you have a good security policy that the managers of
the ocmpany also believe "security is important and will enforce the
rules" including termination or severe punishment or removal of
priviledges for violations
good policy:
- document anything and everything that affects security
and data and access to it
- apply and test all upgrades before deployment
( proper "testing" distinguishes the me too from the pros )
- backup everything and encrypted someplace else
- assume they are peeking at the sensitive data
and see if you can find who, what, when, where, how
- harden NFS ... disallow root logins, allow only certain
ip# to nfs mount directory specific resources ( /home/user )
- run "secure" NFS daemons, including kerberos if needed
- endless list of hundreds ( :-) ) of things to do ..
- disallow dhcp, disallow wifi, disallow vpn, ...
- disallow yahoo, aol, hotmail, gmail, icq, aim, etc ...
c ya
alvin
Reply to: