LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-12-2010, 10:03 PM   #1
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
Users subverting security on purpose, Kerberos the only answer?


I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.
Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.

this works until...

We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.

please no AFS recommendations!
 
Old 05-12-2010, 10:07 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
I believe having a well defined security policy would be the best place to start, once users have been informed regarding their responsibilities action can be taken on any further misuse etc..

cheers
 
Old 05-12-2010, 10:09 PM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
If people are sharing passwds, that's a management issue, not a technical one. You have to talk to your mgrs and the project sponsor mgrs. There's no technical solution imho.
I suppose you try RSA fobs ie 2 factor auth, 1.something you know (passwd) & 2.something you have (RSA fob), but they could share those..

Maybe ssh auth keys instead of passwds ?

In any case, I'd still talk to the mgrs; in most companies sharing passwds is a very serious offence, in some cases you get sacked (eg banks).

Last edited by chrism01; 05-12-2010 at 10:11 PM.
 
Old 05-12-2010, 10:14 PM   #4
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Original Poster
Rep: Reputation: 38
admittedly this is a case of the inmates running the prison but these are project managers doing this!
 
Old 05-12-2010, 10:24 PM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
It doesn't matter who they are.. once the policy is defined and communicated they have no excuse
 
Old 05-12-2010, 10:31 PM   #6
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by frndrfoe View Post
admittedly this is a case of the inmates running the prison but these are project managers doing this!
project managers that keep me employed? haha!
 
Old 05-13-2010, 11:41 AM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@frndrfoe: Why do the project managers need the root password?
 
Old 05-13-2010, 01:56 PM   #8
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by anomie View Post
@frndrfoe: Why do the project managers need the root password?
These are their laptops and desktops where they develope, we have to allow them full access to that machine. If we didn't they would wipe and rebuild them themselves.

Last edited by frndrfoe; 05-13-2010 at 01:58 PM.
 
Old 05-13-2010, 03:03 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Then help me understand the complete picture a little better. They're sharing their desktop root passwords. How does that allow them to subvert NFS security? From your first post, it sounds like the real issue is the version control server is letting them get around NFS security.

Alternatively, if the issue is that they're mounting a filesystem to their workstation and then letting others ssh into their workstation, you might need to lock this down at the network/transport layer (i.e. using an intelligent switch).

---

Thinking on it some more, though, there is a fundamental problem. Unless I'm missing something, I'm going to have to agree with post #3. The security policy needs to be shored up, and these managers need a good kick in the arse. That requires buy in from someone above their pay grade.

No matter how many technical bandaids you slap on this problem, determined users can get away with all kinds of dumb shenanigans. (How about passing around usb thumb drives containing sensitive data? That'll beat many of your best tech implementations.)

Last edited by anomie; 05-13-2010 at 03:04 PM.
 
Old 05-13-2010, 06:15 PM   #10
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by frndrfoe View Post
project managers that keep me employed? haha!
Yep. Unless these project managers own the whole COMPANY, they are circumventing data-security policies. And as to the whole 'they wipe their hard drives and rebuild', same thing...these are the COMPANYS machines, not their own personal ones. Unless they are sysadmins, and are responsible for the integrity and operation of the machines and networks, they leave it alone. If not, get your management to come down on them, hard. If they don't, put the issue in writing, and get your managers to sign off on it.

When the systems die, remind them of your warning, and be sure to leave on time that night. If any of the project managers complain, tell them TFB, they caused the problem, and now they can wait.

Really, this is a management issue. And if your direct manager doesn't take action, go above them, and let them know you're doing it, too. At the end of the day, YOU are responsible for keeping the systems up...not your boss, not the project managers. They'll be home with their feet up, with family and friends, while you're undoing their mistakes. I've been in that situation in the past, and I make damned sure to avoid it now. And really, you're not being unreasonable...you're looking out for the COMPANY interests, which is what they pay you for.
 
1 members found this post helpful.
Old 05-13-2010, 09:08 PM   #11
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Original Poster
Rep: Reputation: 38
Did i mention this is a Higher Education/University environment? Project managers are often tenured faculty. I think I will kill sftp to derail the sshfs antics.

At least students are paying customers...
 
Old 05-13-2010, 09:23 PM   #12
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by anomie View Post
Then help me understand the complete picture a little better. They're sharing their desktop root passwords. How does that allow them to subvert NFS security?
1. Front end server nfs mounts export from netapp
2. export contains subfolder with more restrictive group
1. user1 sshfs mounts to front end server on machine with shared root
2. user2 can "with malice" su as other user to access restricted subfolder or create local groups to override ldap groups.

am I making sense?

Project managers want to have ZERO responsibility regardless of what they do and expect us to provide security in spite of ...whatever.

BTW: this is looking like a management battle as expected, we can offer security that will make them realize that personal responsibility is easier than the echelon approach.

Last edited by frndrfoe; 05-13-2010 at 09:37 PM.
 
Old 05-14-2010, 10:24 AM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by frndrfoe View Post
1. Front end server nfs mounts export from netapp
2. export contains subfolder with more restrictive group
1. user1 sshfs mounts to front end server on machine with shared root
2. user2 can "with malice" su as other user to access restricted subfolder or create local groups to override ldap groups.

am I making sense?

Project managers want to have ZERO responsibility regardless of what they do and expect us to provide security in spite of ...whatever.
Well, I want to have truckloads of money dropped off in my driveway every morning, while lingerie models rub my feet, but that's not likely to happen. What they WANT is different from what they can GET.
Quote:
BTW: this is looking like a management battle as expected, we can offer security that will make them realize that personal responsibility is easier than the echelon approach.
Yep. And again, get management to put it IN WRITING, and sign off on it. Put EVERY objection you can think of in writing, along with what the consequences of ignoring you will be. Get signatures, from management, and the project managers. They don't sign? Then YOU decline responsibility for the server(s), because they're expecting you to be accountable, while not giving you the power to make sure it's done right.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux users answer the call: Ubuntu wireless-adapter glitch resolved LXer Syndicated Linux News 0 01-11-2008 11:20 AM
users and system security m2azer Linux - Security 1 01-07-2008 05:46 PM
How change password for kerberos users using passwd comand sarajevo Linux - Security 0 10-23-2007 04:48 AM
Distribution for general purpose security andy.l Linux - Distributions 2 04-06-2007 06:44 AM
...of Samba ADS security, Kerberos, and AD on Windows 2003 zerovice Linux - Enterprise 6 10-19-2006 12:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration