LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-28-2007, 05:12 PM   #1
haiders
Member
 
Registered: Sep 2006
Posts: 62

Rep: Reputation: 15
Local root user can su - to nis user


Hi everyone,
I'm no NIS expert and I came accross a serious security hole in an environment running NIS for linux machines. Users in this environment own their machines, meaning the have root access and manage their boxes themselves. However, they are nis clients. If they become root on their own machines they can sudo to any nis user account. Is there anyway to prevent this? We can not take away the users root access because they will complain that it is their box and they want root access (I know, it's a sorry situation).
Is it possible to force password authentication even from root for nis users?

It seems this goes against *nix rules of root access but I'm hoping someone else has encountered this and has a work around.

The ideal situation would be:
1 - users have their own boxes with their own root access.
2 - they are nis clients
3 - user can su - to his/her nis user account ONLY by using password authentication.


Thanks in advance.
 
Old 12-04-2007, 08:07 AM   #2
jphilput
Member
 
Registered: Nov 2007
Posts: 58

Rep: Reputation: 15
The root user can do anything on a *nix system. In the environment that you describe, the only way to prevent the system owners from using /bin/su - to access the NIS user would be to remove their root privileges.
 
Old 12-04-2007, 10:38 AM   #3
haiders
Member
 
Registered: Sep 2006
Posts: 62

Original Poster
Rep: Reputation: 15
Thanks for the reply jhphilput. So I've decided to remove NIS access to the users. The work around is that they can keep there box have root access to it with the exception that they create the same account (with the same uid and gid as on the nis environment). This allows them to access the mount points and keeps permissions/owners the same. Now I need to read up on the best way to secure the already existing nis environment and prevent anyone from joining it. Any suggestions?
 
Old 12-04-2007, 01:15 PM   #4
jphilput
Member
 
Registered: Nov 2007
Posts: 58

Rep: Reputation: 15
I haven't worked a lot with NIS, but the last time I worked with it the paper at this site: http://www.sans.org/reading_room/whi...sadmin/107.php was helpful. The paper itself is out of date at this point, but it may still give you some useful information.
 
Old 12-04-2007, 05:38 PM   #5
haiders
Member
 
Registered: Sep 2006
Posts: 62

Original Poster
Rep: Reputation: 15
Thanks a lot! The document is definitely helpful.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I create a local user on a NIS slave server? essdeeay Linux - General 2 06-10-2007 05:40 AM
forwarding root mail to another local user kevinm2 Linux - Software 2 07-13-2005 10:55 PM
Fail to add a local user in a computer working with NIS pwangee Fedora 2 07-07-2004 09:28 PM
Fail to add a local user in a computer working with NIS pwangee Linux - Networking 0 07-07-2004 10:01 AM
Starting 'Screen' from rc.local as a user other than root Mulefire Linux - General 0 02-21-2002 10:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration