Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have hit a wall trying to find a solution for this NFS security problem. We currently have multiple Linux servers with users automounting their /home via autofs through LDAP. The problem we have is that if someone has a root password on their local machine, they can get into anyone's /home folder since it is mapped through the autofs. Is there anyway around this? I looked into no_root_squash and such, but ran into problems when I set the /etc/exports to root_squash.
Also, I have heard something about Secure NFS. Has anyone heard of this? What does it do? Could it possibly solve this file sharing problem?
what sort of problems with root_squash? that's exactly where you want to go.... if you mean you need root squash off for certain machines, you can export the same directory twice with nfs, jsut to different people / machines with different rights
Yes, that was the problem with root_squash, and what you say does solve the problem. I forgot about that. Thanks. But we still have another problem, still related to the root power and NFS.
On our NFS home server, I have changed all the permissions of user folders to 700. Therefore, only the owner can read his/her files. The problem is that if someone has the root password to their machine, they could su to root, and then from root su to any user and access those user's files. When you are root and you su to a user, you are not prompted for a password. Is there any way around this? As I said before, I have heard something about Secure NFS, which uses Kerberos to authenticate and NFS connection, but I'm not too sure about how it works yet. If there is any other workaround, it would be great to hear about that as well.
Unfortunately if a user has root access they don't need the login when su'ing to another user, that's the power of root.
You should just look into using NIS maybe. Use the central NFS server as also a means of authenticating users from one machine. That way they won't be authenticated on their local machines when logging in but from the remote server since they also have their home accounts mounted from it, etc.
It is actually a little more involved. We do not use NIS. We are authenticating against AD using Kerberos, with an LDAP server containing all user info. Eventually the plan is to phase out the LDAP server and use the Unix attributes in AD when Samba 3 is a little more stable, but for now we will stay with this. So in order to even log on to client machines, the user must be authenticated through AD. Is there a way to make NFS prompt for a password and authenticate via Kerberos or something before mount? Yes, right now, since the /home folder is exported on the NFS server, anyone can mount a folder.
It is actually a little more involved. We do not use NIS. We are authenticating against AD using Kerberos, with an LDAP server containing all user info. Eventually the plan is to phase out the LDAP server and use the Unix attributes in AD when Samba 3 is a little more stable, but for now we will stay with this. So in order to even log on to client machines, the user must be authenticated through AD. Is there a way to make NFS prompt for a password and authenticate via Kerberos or something before mount? Yes, right now, since the /home folder is exported on the NFS server, anyone can mount a folder.
Hi,
I am facing the same problem. We are also using openldap (not AD) for user authentication. I have found a reply at adress:
Doesn't answer your direct question, but I think your issue is with NFS, not sudo/su - you're going to have this problem anytime you use NFSv3 as it relies on UIDs to enforce access permissions.
Even if you did somehow prevent users from switching to root and back to another UID, a malicious user could simply connect their own device or boot a different OS inplace of your specially configured system and overcome the protection.
Have you considered using NFSv4? It uses Kerberos to authenticate mount requests and enforce access permissions so wouldn't be vulnerable to this happening.
I wonder if anybody uses this kindof authentication with linux.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.