I think you're looking for netgroups. Specifically, a list of which NFS clients are allowed to mount (which?) NFS servers. It's not foolproof (IP spoofing might be able to get you somewhere), and it's not secure (it's still unencrypted), but it suddenly goes from "I brought my Linux notebook in and did an 'rm -rf' on the development tree by accident." to being a non-trivial endeavor. We used to do it at Cisco all the time -- and users we "trusted" would get netroup access, and thems we didn't, wouldn't.
-Ken On Sun, 28 Oct 2001, Derek D. Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sun, Oct 28, 2001 at 08:58:21AM -0500, Ron Peterson wrote: > > NFSv2 and v3 are both insecure. If the client computer is on my desktop, > > I can reinstall Linux, give myself root, and then connect as any user I > > want. > > Yep, you can. Of course, if you're managing a bunch of Linux machines, > and you need to prevent this scenario, you can make it difficult. > It sounds like you've already taken root away from your users, which > is the first step. Good for you! :) > > Or you can trust your users... If you prefer the former, you can > remove the floppy drive and CD rom drive, and install a BIOS password > on the machine. You also will need to make sure that LILO prompts > for a password when using anything but the default command line, as > should single user mode. > > This does not make it impossible, but much more work for someone to > re-install Linux on your system. And there's a good chance someone > will notice them installing drives in their machine... > > Of course, this is also tantamount to hanging a big tabard from every > window in your office that says "WE DON'T TRUST OUR USERS!" > Personally I have no problem with that, but THEY might see it a > bit differently... ;) > > > Samba's smbmount can prompt for a password, but not if you use > > autofs. This is the best solutions I can think of so far, particularly if > > combined with SSL. > > You can add the necessary commands to the user's local .profile > so that it will prompt for a password and mount the share. You will > also need to make sure the share gets mounted somewhere other than > the user's home directory... or else it will be busy when you try > to mount it (as the .profile will be running from there). > > > Is there other solutions to this problem that I'm not thinking of? > > If you want to learn how to manage Kerberos, that may work for you... > But I'm not sure if there is a good implementation of kerberized NFS > for Linux. I think this again may be in the realm of NFSv4. > > If you do find anything else that works for you, I'd be most interested > in the details. This IS a hairy problem... > > Thanks. > > - -- > Derek Martin [EMAIL PROTECTED] > - --------------------------------------------- > I prefer mail encrypted with PGP/GPG! > GnuPG Key ID: 0x81CFE75D > Retrieve my public key at http://pgp.mit.edu > Learn more about it at http://www.gnupg.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE73B2jdjdlQoHP510RAlPhAJ0Wrn882gBqT/aIPYQbKrOAK3jimgCcCkxx > cD7JtHTpHspdGaUAcEkz/9k= > =qDsd > -----END PGP SIGNATURE----- > > ***************************************************************** > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > ***************************************************************** > > ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
