On Fri, 21 Mar 2008, Guillaume Rousse wrote:
> chris barry a écrit :
> > The question is, is there any way to make this work while preventing a
> > user from accessing another user's home? Some slick program type
> > automount map or something? anything...?
> ugly workaround: have users copy the file in the local /tmp directory
> first, before accessing it with sudo second.
>
> Otherwise, you may have a look at kerberized nfs for a much better
> security, but that's not something easy to install.
I have a brief writeup on NFSv4:
http://www.math.ucla.edu/~jimc/documents/nfsv4-0601.html
Unfortunately Kerberos is used to authenticate the client *host*, so
hostbased impersonation schemes (rogue laptops) no longer work, but it
still relies on the client to honestly report the alphabetic loginID and
group ID of the client user, and so is vulnerable to a generic root exploit
on the client.
I show an autofs map row that mounts NFSv4, at the end.
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 520 Portola Plaza; Los Angeles, CA, USA 90095-1555
Email: [EMAIL PROTECTED] http://www.math.ucla.edu/~jimc (q.v. for PGP key)
_______________________________________________
autofs mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/autofs
