Date: Tue, 15 May 2001 00:19:38 +0100 (BST) From: Andrew Gordon <arg@arg1.demon.co.uk> To: Forrest Houston <fhouston@east.isi.edu> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: nfs mounts / su / yp Message-ID: <20010514235938.P10632-100000@server.arg.sj.co.uk> In-Reply-To: <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 May 2001, Forrest Houston wrote:
> The problem is further complicated though when you want the user to have
> root access. We have some people around here who need/want total access
> to their machine. However there is still the concern of the NFS
> mounts. What do you do in these circumstances?
I have a similar situation - workstations on an untrusted network.
The other solutions suggested in this thread are of no use to us:
- physical security/BIOS etc: While we can probably trust the users
not to take a can opener to the machines, they don't need to bother:
just unplug the network cable and substitute their laptop and
masquerade as the machine in question.
- keep user's home directories on their own workstations: useless for
us, these are open-access ("terminal room") machines with an itinerant
user population.
At the moment, the open access machines are limited to being X-terminals
to a small number of trusted (securely located) server machines, which NFS
mount the home directories.
However, I want to allow some of the machines to run applications locally
to take load off the servers. I am planning to do this:
- On the NFS server, have entries explicitly exporting the /home
partition explicitly to each of the 'terminal' machines.
Initally, these exports will all be "mapall=nobody".
So far, this is no loss of security, as all the users with physical
access to the terminal rooms have accounts on the main servers.
- On the terminals, use a PAM module to hook the login process
and obtain the username/password. This will then perform a
transaction with the server, quoting the password, and the server
will change the export to be "mappall=xxx".
I'm not quite sure how best to implement this; one possibility is to use
ssh (in password-authenticated mode) to execute a setuid program on the
server - the setuid program will then adjust the export based on the real
uid with which the program is executed. Using ssh has the merit of
protecting the password across the network without the trouble of
inventing my own scheme (& the related risk of cockup in the design).
There may be some DoS risks in this scheme, but in our environment that's
fairly acceptable - there are plenty of ways for users to DoS already, and
so long as we have audit trail we can beat them up accordingly.
If anyone can see glaring holes in this, I'd be glad to know about it
before I get started!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010514235938.P10632-100000>