LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Mounting centralized NAS server with NFS . Need to forbid users from doing sudo su. (http://www.linuxquestions.org/questions/linux-security-4/mounting-centralized-nas-server-with-nfs-need-to-forbid-users-from-doing-sudo-su-870678/)

permalac 03-24-2011 05:01 AM

Mounting centralized NAS server with NFS . Need to forbid users from doing sudo su.
 
Hi,

long history short:
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.


I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.

I'm missing something or this is going to be tricky?
Can anybody give me a hand on this thinking?


Many thanks.

prushik 03-24-2011 11:54 AM

Quote:

Originally Posted by permalac (Post 4301490)
Hi,

long history short:
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.


I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.

I'm missing something or this is going to be tricky?
Can anybody give me a hand on this thinking?


Many thanks.

You could stop using sudo completely, switch to su only. Set easy to remember passwords for the apache user and the postgres users and give the people that need access to those accounts the passwords. Allow regular users to mount NFS shares (in /etc/fstab i think), then deny everybody root access.
I don't know anything about Quest, but I don't see any reason why this isn't a feasible solution.

trey85stang 03-25-2011 01:37 PM

I dont use QAS, but we use a sudoers entry to keep ad users from switching to other ad users with sudo:

Code:

Runas_Alias LOCAL = root, apache, postgres
Cmnd_Alias SU = /usr/bin/sudo, /bin/su
%somegroup ALL=(LOCAL) NOPASSWD: ALL, !SU


Reuti 03-25-2011 01:41 PM

When these are user desktops, they can boot into a root prompt with init=/bin/sh or similar. Additional measures are necessary.

permalac 03-25-2011 03:00 PM

Quote:

Originally Posted by Reuti (Post 4303324)
When these are user desktops, they can boot into a root prompt with init=/bin/sh or similar. Additional measures are necessary.

Good point.

Our solution will be cifs. we will give a script on the desktop of each user(GPO) which asks for the password again and mounts cifs mountpoints.


All times are GMT -5. The time now is 09:53 PM.