On Sat, Aug 28, 2010 at 3:08 AM, Boyd Stephen Smith Jr. <[email protected]> wrote: > In <[email protected]>, Min Wang wrote: >>Zaar Hai wrote: >>> On Fri, Aug 27, 2010 at 7:06 PM, Min Wang <[email protected]> wrote: >>>> user1 can log in as local root on Linux PC1, >>>> Even though as root, user1 can not rm /home/user2, >>>> but he can su - user2 on Linux PC1 then rm something. >>> >>> You need NFS4 with gssapi. This way to access someone's file you need >>> an appropriate (his) credentials from KDC (which will be hosted near >>> by your LDAP server). >> >>Hi >>thanks. I'm totally a newbie to this nfs4/gssapi/kerberos. >> >>(1) does this approach >> >>prevent user1-> root ( su-> ) user2? > > Yes. "su" does not grant Kerberos credentials. > Can't root just read/steal and even use sockets/fifos/pipes owned by all other users? Any Kerberos credentials used on the local system would also be usable by root.
>>(2) Or we need to change to use Kerberos instead of LDAP/PAM? > > I believe you can do "just" your NFS authentication with Kerberos and continue > using LDAP/PAM for most authentication; I have not tried that though. > >>(3) And In the kerberosized environment,can the local root su to >>networked user2? > > Yes and no. The local system will "trust" su, so that root can become any > user the local system recognizes. However, network applications that use the > gssapi (or other Kerberos methods) will require credentials granted by the > Kerberos system in order to take action as a Kerberos user. > > Old-style NFS mostly trusts the local system to identify the user, which is > why it is mostly only secure if "root" is shared between the NFS server and > all its clients. > -- > Boyd Stephen Smith Jr. ,= ,-_-. =. > [email protected] ((_/)o o(\_)) > ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' > http://iguanasuicide.net/ \_/ > -- Mike Mestnik Technical Team ___ Nagios Enterprises, LLC Email: [email protected] Web: www.nagios.com -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
