Re: Permissions on NFS mounts

[Reco <recoverym4n@enotuniq.net>]

	Hi.

On Thu, Dec 10, 2020 at 09:10:42AM +0000, Mark Fletcher wrote:
> This brings up an interesting thought. In the situation where you align 
> user IDs across a number of machines for ths purpose, you'll inevitably 
> end up with situations where users are created on some of the machines 
> only for the purpose of keeping the IDs in synch so they can all play 
> nice with the NFS.

But why? useradd has "-u" flag for ages, all that's required is to
supply an appropriate number for uid.
You just create user(s) which are supposed to be on this host with the
needed uid (maybe - gids), and do not create those you don't need.


> Left alone, having unneeded users on a given machine 
> could be a security threat, at least in the sense that it provides a 
> greater than necessary attackable surface area. What can be done about 
> that? Obviously one thing would be setting the shell to /dev/null in the 
> password file of those machines that don't need a given user, to prevent 
> interactive logins.

Current fashion is to use /usr/sbin/nologin for such accounts. But
that's solving the problem one should not have in the first place.

As for sudo and others - there's only proper one solution for such
"unwelcome" users, and it's called userdel.

Reco