From owner-freebsd-security  Mon May 14 11:18:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from east.isi.edu (east.isi.edu [38.245.76.2])
	by hub.freebsd.org (Postfix) with ESMTP id 338B037B422
	for <freebsd-security@FreeBSD.ORG>; Mon, 14 May 2001 11:18:43 -0700 (PDT)
	(envelope-from fhouston@east.isi.edu)
Received: from rosencrantz.east.isi.edu (rosencrantz.east.isi.edu [38.245.76.213])
	by east.isi.edu (8.9.2/8.9.2) with ESMTP id OAA09155;
	Mon, 14 May 2001 14:18:19 -0400 (EDT)
Date: Mon, 14 May 2001 14:18:16 -0400 (Eastern Daylight Time)
From: Forrest Houston <fhouston@east.isi.edu>
To: Erik Trulsson <ertr1013@student.uu.se>
Cc: Eric Anderson <anderson@centtech.com>,
	"Oulman, Jamie" <JOulman@iphrase.com>,
	"'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject: Re: nfs mounts / su / yp
In-Reply-To: <20010514200927.A32697@student.uu.se>
Message-ID: <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu>
X-X-Sender: fhouston@ale.east.isi.edu
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The problem is further complicated though when you want the user to have
root access.  We have some people around here who need/want total access
to their machine.  However there is still the concern of the NFS
mounts.  What do you do in these circumstances?

Thanks
Forrest

On Mon, 14 May 2001, Erik Trulsson wrote:

> 
> If a user can login as root or su to root then they can (almost by
> definition) do whatever they want. The solution is therefore to prevent
> users getting root access in the first place since once they get it it is
> too late to do anything about it.
> First of, all make sure that only people you trust are in the wheel group and
> know the root password. This will prevent other people from doing an su to root.
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message