"Boyd Stephen Smith Jr." <[email protected]> writes: > Min Wang wrote:
>> thanks. I'm totally a newbie to this nfs4/gssapi/kerberos. >> >> (1) does this approach >> >> prevent user1-> root ( su-> ) user2? > Yes. "su" does not grant Kerberos credentials. Well, it does if you're using pam_krb5 as the authentication method for su and you enter a password. But it doesn't when you switch from root to another user without a password, which I suspect is what you're trying to say. > Yes and no. The local system will "trust" su, so that root can become > any user the local system recognizes. However, network applications > that use the gssapi (or other Kerberos methods) will require credentials > granted by the Kerberos system in order to take action as a Kerberos > user. Note, however, that local root can steal the credential cache of any other user on that system, so there's no actual security protection against root for other users on the same system. (In the absence of SELinux or the like, of course.) > Old-style NFS mostly trusts the local system to identify the user, which > is why it is mostly only secure if "root" is shared between the NFS > server and all its clients. And if you have complete control over the local network so that no one can spoof IP addresses, or pretend to be your NIS server, or.... -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
