Re: Securing NFS
On Fri, Aug 19, 2005 at 09:45:51AM +0200, Laurent wrote:
> Hi,
>
> I'm trying to set up secure workstations for developpers.
>
> My current setup includes a file server where Home directories of users
> are stored.
>
> Developpers have root access on their computers.
>
> Exporting the whole /home directory would put data security at risk
> since creating an account with the 'right' uid on a workstation would
> grant access to user files.
>
> My question is: How to allow any user to use any workstation
> (Authentication through LDAP) without putting data security at risk, and
> keeping files on the server.
You are addressing one of the biggest security problems in today's
computing environments.
You need to employ NFS4 or AFS or something like that. These network
filesystems perform authentication (and optionally encryption)
using kerberos.
Setting them up (including the prerequisite kerberos environment)
is however a little bit more involved than plain NFS3.
However, as long as the users have root access, this does not help
much since they still can assume some other user's identity to get
access to their files, if the other user has previously authenticated
himself on the same machine and gotten access to his files. So, you
would need to make sure that every user has only root access on his own
machine and that no other user is working there.
Try to read and understand how kerberos and NFS4 work. This is too much
to explain here.
Dominik.
--
PGP Public Key and contact information available at
http://www.tphys.physik.uni-tuebingen.de/tplist/phonelist.py?uid=epple
Reply to: