LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-24-2011, 05:01 AM   #1
permalac
Member
 
Registered: Jul 2007
Location: Barcelona
Posts: 115

Rep: Reputation: 16
Mounting centralized NAS server with NFS . Need to forbid users from doing sudo su.


Hi,

long history short:
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.


I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.

I'm missing something or this is going to be tricky?
Can anybody give me a hand on this thinking?


Many thanks.
 
Old 03-24-2011, 11:54 AM   #2
prushik
Member
 
Registered: Mar 2009
Location: South Korea
Distribution: Lubuntu, BetterLinux
Posts: 364

Rep: Reputation: 28
Quote:
Originally Posted by permalac View Post
Hi,

long history short:
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.


I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.

I'm missing something or this is going to be tricky?
Can anybody give me a hand on this thinking?


Many thanks.
You could stop using sudo completely, switch to su only. Set easy to remember passwords for the apache user and the postgres users and give the people that need access to those accounts the passwords. Allow regular users to mount NFS shares (in /etc/fstab i think), then deny everybody root access.
I don't know anything about Quest, but I don't see any reason why this isn't a feasible solution.
 
Old 03-25-2011, 01:37 PM   #3
trey85stang
Senior Member
 
Registered: Sep 2003
Posts: 1,090

Rep: Reputation: 41
I dont use QAS, but we use a sudoers entry to keep ad users from switching to other ad users with sudo:

Code:
Runas_Alias LOCAL = root, apache, postgres
Cmnd_Alias SU = /usr/bin/sudo, /bin/su
%somegroup ALL=(LOCAL) NOPASSWD: ALL, !SU
 
Old 03-25-2011, 01:41 PM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
When these are user desktops, they can boot into a root prompt with init=/bin/sh or similar. Additional measures are necessary.
 
Old 03-25-2011, 03:00 PM   #5
permalac
Member
 
Registered: Jul 2007
Location: Barcelona
Posts: 115

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by Reuti View Post
When these are user desktops, they can boot into a root prompt with init=/bin/sh or similar. Additional measures are necessary.
Good point.

Our solution will be cifs. we will give a script on the desktop of each user(GPO) which asks for the password again and mounts cifs mountpoints.

Last edited by permalac; 03-26-2011 at 01:59 PM. Reason: Adding solution.
 
  


Reply

Tags
authentication, nfs, sudo, sudoers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems mounting Netgear NAS drive with CIFS, NFS. Cenobite Linux - Networking 1 07-07-2010 01:52 AM
NAS Server, plus two simultanious separate login points and users - possible? daiblade Linux - Newbie 2 10-22-2009 06:39 PM
Mounting NFS Shares from Windows Storage Server on another Linux Server ddenton Linux - Server 3 07-14-2009 10:29 AM
Howto forbid anonymous users from downloading files from hot links greeting Programming 13 09-26-2006 12:44 AM
Multiple users mounting NFS share Vincent_Vega Linux - Networking 4 08-01-2004 10:04 AM


All times are GMT -5. The time now is 07:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration