From owner-freebsd-questions  Sun May 27  9:29:11 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by hub.freebsd.org (Postfix) with ESMTP id D2E7E37B422
	for <freebsd-questions@FreeBSD.ORG>; Sun, 27 May 2001 09:29:07 -0700 (PDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.11.3/8.11.3) id f4RGT4g15636;
	Sun, 27 May 2001 11:29:04 -0500 (CDT)
	(envelope-from dan)
Date: Sun, 27 May 2001 11:29:04 -0500
From: Dan Nelson <dnelson@emsphone.com>
To: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: NIS/YP root permission problems
Message-ID: <20010527112904.A6267@dan.emsphone.com>
References: <Pine.BSF.4.33.0105271349410.1547-100000@klima.physik.uni-mainz.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.33.0105271349410.1547-100000@klima.physik.uni-mainz.de>
User-Agent: Mutt/1.3.18i
X-OS: FreeBSD 5.0-CURRENT
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

In the last episode (May 27), Hartmann, O. said:
> I export the appropriate filesystems by maproot=nobody:nobody, but
> that prevents root from getting root access on those filesystems
> exported by NFS, but if he switch to another user (due its belonging
> to the same NIS/YP domain) he grants itself full permissions to
> access the switched user's filespace ...

You can use the "mapall" export keyword to force all access from a
particular host to be done as a singler user (even root is mapped). 
You will need to add an export line for each untrusted host, and force
the uid to match the person who has root on that box.

But there's a worse problem; anyone can simply do a "ypcat passwd" and
run something like ports/security/crack on the passwords.  If all your
NIS clients support md5 passwords (FreeBSD and Linux definitely do; I
don't know about the commercial Unixes), you can force your NIS server
to use md5 instead of DES and make the cracking bit a bit slower.

-- 
	Dan Nelson
	dnelson@emsphone.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message