Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: How to prevent local root from su to an NIS user?
Top Forums UNIX for Advanced & Expert Users How to prevent local root from su to an NIS user? Post 302155547 by ramen_noodle on Friday 4th of January 2008 12:55:20 PM
Old 01-04-2008
No, it's an artifact of your deployment. I'm assuming NIS & NFS. The developers don't need to add local uids for them to su if the pertinent filesystems and credentials are available. I can think (quickly) of only one way to deal with the issue and that is by implementing netgroups (man -k netgroup).

Developers having local root access is an insupportable security practice imho. Perhaps a well designed sudo implementation is in order.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Prevent root login directly

Hi How can I prevent anyone from logging in as root directly? I have added the line console=/dev/null to the file /etc/default/login I was still able to login as root from the console. Please advice. Thanks Srini (4 Replies)
Discussion started by: skotapal
4 Replies

2. UNIX for Dummies Questions & Answers

How to prevent root users from editing files (logs)

How to prevent root users from editing files (logs)? Is there any way? (4 Replies)
Discussion started by: vehchi
4 Replies

3. Solaris

Prevent users logging in as root

I would like to know how to prevent users connecting to a server using SSH as root. I would still like them to be able to login with their username and then change to su. But I would like to prevent them logging in directly as root. I have searched the forum and read that I should set... (3 Replies)
Discussion started by: Sepia
3 Replies

4. Red Hat

NIS disabling the MAP for a local user

Hello everybody, we have a NIS User lsfadmin which gets his environment variables from the autmount /home/lsfadmin. A newer version of the application needs a different environment to launch the application. I can't change the environment of the NIS User because we use NIS company wide for... (0 Replies)
Discussion started by: sdohn
0 Replies

5. Shell Programming and Scripting

switch user from local user to root in perl

Hi Gurus, I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password. It seems that i need to use expect module here, but i don't know how to create the object for this. ... (1 Reply)
Discussion started by: linuxgeek
1 Replies

6. UNIX for Advanced & Expert Users

History to Another file [local user history , but root access]

Hi all, My need is : 1. To know who , when , which command used. 2. Local user should not delete this information. I mean , with an example , i can say i have a user user1 i need to give all the following permissions to user1, : a. A specific directory other than his home... (3 Replies)
Discussion started by: linuxadmin
3 Replies

7. UNIX for Dummies Questions & Answers

NIS user in local group

I have root access on a linux (RH5.4) server within an NIS setup that I don't control. I have an NIS account that creates directories on my local node that I want to be writable by my local apache account. The NIS account is only a member of the "users" group and the local apache account is... (1 Reply)
Discussion started by: clindseysmith
1 Replies

8. UNIX for Dummies Questions & Answers

History to Another file [local user history , but root access]

Hi all, My need is : 1. To know who , when , which command used. 2. Local user should not delete this information. I mean , with an example , i can say i have a user user1 i need to give all the following permissions to user1, : a. A specific directory other than his home... (1 Reply)
Discussion started by: sriky86
1 Replies

9. Red Hat

How to check local accounts have root and user access rights ?

Hi, I have three servers,For 3 servers how i can take output,all the local accounts and details of whether the access is Root or User access. cheers (1 Reply)
Discussion started by: ranjithm
1 Replies

10. Shell Programming and Scripting

How to Switch from Local user to root user from a shell script?

Hi, I need to switch from local user to root user in a shell script. I need to make it automated so that it doesn't prompt for the root password. I heard the su command will do that work but it prompt for the password. and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Discussion started by: Little
1 Replies

LEARN ABOUT ULTRIX

exports

exports(5nfs)															     exports(5nfs)

Name
       exports - defines NFS file systems to be exported

Syntax
       /etc/exports

Description
       The  file  describes  the  local file systems and directories that can be mounted by remote hosts through the use of the NFS protocol.  The
       file can also be used to restrict access to a particular set of remote systems.	The request daemon accesses the file each time it receives
       a mount request from an NFS client.

       Each  entry  in the file consists of a file system or directory name followed by an optional list of options or an optional list of identi-
       fiers or both. The identifiers define which remote hosts can mount that particular file system or directory.  The identifiers listed beside
       the  name of each file system or directory can be either host names or YP netgroups names.  When the daemon receives a mount request from a
       client, it searches for a match in the list of identifiers, first by checking the client host name with the host name identifiers and  sec-
       ond  by	checking  the  client  host  name  in a YP netgroups.  When it finds a match, makes that file system or directory available to the
       requesting client.

       The exports file format is defined as follows:
       pathname [-r=#] [-o] [identifier_1 identifier_2 ... identifier_n]
       or
       #anything

       Name of a mounted local file system or a directory of a
		      mounted local file system . The must begin in column 1.

       options:

		      -r=#    Map client superuser access to uid #.  If you want to allow client superusers access to the file system or directory
			      with  the  same permissions as a local superuser, use Use only if you trust the superuser on the client system.  The
			      default is which maps a client superuser to nobody.  This limits access to world readable files.

		      -o      Export file system or directory read-only.

			      The options can be applied to both file system and directory entries in

       identifiers:   Host names or netgroups, or both, separated by white space, that specify the access list for this export.   Host	names  can
		      optionally contain the local BIND domain name.  For more information on BIND, see the Guide to the BIND/Hesiod Service If no
		      hosts or netgroups are specified, the daemon exports this file system or directory to anyone requesting it.

       A number sign (#) anywhere in the line marks a comment that extends to the end of that line.

       A whitespace character in the left-most position of a line indicates a continuation line.

       Each file system that you want to allow clients to mount must be explicitly defined.  Exporting only the root (/) will not allow clients to
       mount Exporting only will not allow clients to mount if it is a file system.

       Duplicate directory entries are not allowed.  The first entry is valid and following duplicates are ignored.

       Desired export options must be explicitly specified for each exported resource: file system or directory.  If a file system and subdirecto-
       ries within it are exported, the options associated with the file system are not ``inherited''.	You do not need to export an  entire  file
       system to allow clients to mount subdirectories within it.

       The  access  list  associated with each exported resource identifies which clients can mount that resource with the specified options.  For
       example, you can export an entire file system read-only, with a subdirectory within it exported read-write to a subset of  clients.   If  a
       client  that  is  not  identified in the export access list of a directory attempts to mount it, then access is checked against the closest
       exported ancestor.  If mount access is allowed at a higher level in the directory tree of the file system, the  export  options	associated
       with the successful match will be in effect.

       If  you	are concerned with nfs security, all ufs file systems exported via nfs should be ufs mounted with the option. All ufs file systems
       exported via nfs with the option specified in the file should be ufs mounted with the option.

Examples
       /usr alpha beta	       # export /usr to hosts alpha and beta, client
				 superuser maps to uid -2 and read-write
				 access is permitted

       /usr/staff/doe clients  # export directory to hosts in netgroup clients

       /usr/man/man1 -o        # export directory read-only to everyone

       /usr/local -r=0 beta    # export file system to beta, superuser
				 on beta maps to local superuser (uid=0)

Files
See Also
       hosts(5), mountd(8nfs), netgroup(5yp)
       Guide to the BIND/Hesiod Service
       Introduction to Networking and Distributed System Services

																     exports(5nfs)
All times are GMT -4. The time now is 09:30 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy