[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions on NFS mounts

On Jo, 10 dec 20, 09:10:42, Mark Fletcher wrote:
> This brings up an interesting thought. In the situation where you align 
> user IDs across a number of machines for ths purpose, you'll inevitably 
> end up with situations where users are created on some of the machines 
> only for the purpose of keeping the IDs in synch so they can all play 
> nice with the NFS.

adduser --uid 1234 <username>

As far as I know the user creation step can be skipped in the Debian 
Installer, if for any reason uid 1000 is to remain unallocated, 
otherwise just use debootstrap/mmdebstrap instead.

> Left alone, having unneeded users on a given machine could be a 
> security threat, at least in the sense that it provides a greater than 
> necessary attackable surface area. What can be done about that? 
> Obviously one thing would be setting the shell to /dev/null in the 
> password file of those machines that don't need a given user, to 
> prevent interactive logins. What else could be done? Is there a way to 
> put an account "beyond use", in any way including su, sudo etc, while 
> still having the machine recognise the user for being a user and 
> therefore not messing up the mapping of user IDs on shared resources 
> like NFS? In other words, create the sense of "yes this user exists, 
> but they are not welcome here"?

passwd -l/--lock <username>

See 'man passwd' for details, limitations and alternatives.

Kind regards,

Attachment: signature.asc
Description: PGP signature

Reply to: