From owner-freebsd-security Mon May 14 11:43:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by hub.freebsd.org (Postfix) with ESMTP id CF67A37B423 for ; Mon, 14 May 2001 11:43:04 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailf.telia.com (8.11.2/8.11.0) with ESMTP id f4EIh3C04639 for ; Mon, 14 May 2001 20:43:03 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id UAA14641 for ; Mon, 14 May 2001 20:43:01 +0200 (CEST) Received: (qmail 33470 invoked by uid 1001); 14 May 2001 18:42:59 -0000 Date: Mon, 14 May 2001 20:42:59 +0200 From: Erik Trulsson To: Forrest Houston Cc: Eric Anderson , "Oulman, Jamie" , "'freebsd-security@freebsd.org'" Subject: Re: nfs mounts / su / yp Message-ID: <20010514204259.A33451@student.uu.se> Mail-Followup-To: Forrest Houston , Eric Anderson , "Oulman, Jamie" , "'freebsd-security@freebsd.org'" References: <20010514200927.A32697@student.uu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from fhouston@east.isi.edu on Mon, May 14, 2001 at 02:18:16PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 14, 2001 at 02:18:16PM -0400, Forrest Houston wrote: > The problem is further complicated though when you want the user to have > root access. We have some people around here who need/want total access > to their machine. However there is still the concern of the NFS > mounts. What do you do in these circumstances? > If those people have their own, personal, machines then you solve it by not letting any other machines trust the 'compromised' machines. Only export that persons homedirectory via NFS to that machine. Do not allow any other directories to be mounted. Be careful with accepting logins/connections from it. Basically treat it as if it was some unknown machine out on the Big Bad Internet. And make sure that the root password for those machines is different from that on other machines. It is usually a bad idea to give users root access if you don't trust them. If you still have to give them root access then isolate their machines so that they cannot access other machines. > Thanks > Forrest > > On Mon, 14 May 2001, Erik Trulsson wrote: > > > > > If a user can login as root or su to root then they can (almost by > > definition) do whatever they want. The solution is therefore to prevent > > users getting root access in the first place since once they get it it is > > too late to do anything about it. > > First of, all make sure that only people you trust are in the wheel group and > > know the root password. This will prevent other people from doing an su to root. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message