Date: Sun, 27 May 2001 11:29:04 -0500 From: Dan Nelson <dnelson@emsphone.com> To: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NIS/YP root permission problems Message-ID: <20010527112904.A6267@dan.emsphone.com> In-Reply-To: <Pine.BSF.4.33.0105271349410.1547-100000@klima.physik.uni-mainz.de> References: <Pine.BSF.4.33.0105271349410.1547-100000@klima.physik.uni-mainz.de>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (May 27), Hartmann, O. said: > I export the appropriate filesystems by maproot=nobody:nobody, but > that prevents root from getting root access on those filesystems > exported by NFS, but if he switch to another user (due its belonging > to the same NIS/YP domain) he grants itself full permissions to > access the switched user's filespace ... You can use the "mapall" export keyword to force all access from a particular host to be done as a singler user (even root is mapped). You will need to add an export line for each untrusted host, and force the uid to match the person who has root on that box. But there's a worse problem; anyone can simply do a "ypcat passwd" and run something like ports/security/crack on the passwords. If all your NIS clients support md5 passwords (FreeBSD and Linux definitely do; I don't know about the commercial Unixes), you can force your NIS server to use md5 instead of DES and make the cracking bit a bit slower. -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010527112904.A6267>