Weird NFS Security Needs 20
spankenstein asks: "At work we are trying to switch to using NFS mounted home directories but have run into a problem. All of the technical staff have root access to their machines. It is necesary for this access. However, this leads to extremely easy ways to override NIS and any other "authentication" provided over NFS so almost anyone could mount someone else's ${HOME}. Is there any reasonably secure way of doing this? So far it's looking like Samba is the best answer but that makes no sense in a 90% Linux environment."
Re:Don't export root... (Score:1)
Basically NFS has no real security model for inhomogenous networks like this... you need something like samba, or maybe ncpfs or coda or AFS might work, I'm not familiar with them...
But samba with automounter would probably be the best bet by far.....
Re:Don't export root... (Score:1)
YARFA? (Score:1)
I'm not sure the classic UNIX security makes any sense anymore.
Maybe you could just rm su?
Re:Well, geez.. (Score:1)
* "no" meaning no "absolute" benefits -- it only keeps out the really stupid users for very long, and even then not very long.
Re:Problem solved: sudo (Score:1)
Although, back to the original question, why not export each home directory individually, and allow only that user's workstation to mount their homedir? Sure, it's a little more to setup, and can make for a rather large exports file, but if you aren't moving people from workstation to workstation, then it should work fine. You may also look into samba, which would provide the authentication you desire, and have the added benefit of working with any win or macos machines you might have about. AFS may also provide such authentication, but that is pure speculation on my part, as I'm not familer with AFS.
We have the same problem (Score:1)
Trying to secure the end machines is not really possible - we don't control all of them, and students (we're a university) often legitimately need bootdisks, or local installs, or laptop access to their home dirs.
NFS trusts the client machine pretty much completely - ie. root can pretend to be any user.
Our solution (not yet implemented) is to have a seperate authentication step (tied to the login program) that the server verifies and sets up an explicit export. However since we haven't finished this, we don't know if it'll work in practice.
Samba would seem like the best bet, but it does screwy things to UNIX file permissions (there's a reason we use UNIX...), and Coda just has two many negative points that make it inappropriate for us.
AFS is a non option for an all-linux shop with no real budget to speak of.
Has anyone solved this yet?
Re:Problem solved: sudo (Score:1)
Ahhh... very nice. I didn't think of that.
Re:YARFA? (Score:1)
ACLs won't do any good in this case, its not that the permissions are deficient, its that NFS has a flawed design when it comes to security: it completely trusts the client to take care of enforcing the permissions. so even if you had acls it won't do any good since the client root can ignore them anyway. Its already been mentioned that you can squash root but that only works when all files are owned by root, which is not very useful for home directories.
I'm not sure the classic UNIX security makes any sense anymore.
I don't think its classic unix security that is the problem here, its the classic NFS non-security that is the problem. any system which trusts the client for authentication/permission enforcement is fundementally flawed.
I think you might be thinking along the lines that `all powerful root' does not make sense any more, and in some cases it does not which is why there are some capability based systems (trusted irix and such) where uid 0 is just another account. Trusted IRIX has this available as an option but i suspect (i have no real numbers) that most IRIX users configure it WITH the all powerful super-user enabled, simply because administering a fully capability based system with no root is much more difficult and thus more time consuming. (i could be wrong here but that is the impression i get)
Maybe you could just rm su?
as has been mentioned revoking root access in this case is probably not an option. even if it were they would have to deal with loads of physical access problems. the network, the workstations etc etc.
--
ln -s
Re:Problem solved: sudo (Score:1)
And just to prove the point of how careful you have to be, 'mount' isn't safe. You could create and mount a filesystem with a suid shell on it...
Be very careful... (Score:1)
NFS = No File Security.
AFS would work, or Coda. You might be able to monkey something up with a cryptographic file system running on top of NFS.
Re:Nope, don't think it's possible (Score:1)
This makes life more complicated, but it's possible.
Re:Problem solved: sudo (Score:1)
Don't export root... (Score:2)
may have root on the machine you are sitting at
but you won't have the same priviliges on an NFS
mounted filesystem. grep the NFS docs for the
phrase "export root".
Re:Nope, don't think it's possible (Score:2)
Because Unix has a crude "all or nothing" security model - you're either the sysadmin, or you aren't. More mature operating systemd (VMS, for example) allow very fine-grained control over system privileges.
Re:Nope, don't think it's possible (Score:2)
That's not strictly true. While it doesn't have the fine grained security of, say, VMS (at least, not without using the various capabilities options available), it's not necessarily all or nothing. You can do an awful lot with sensible use of groups. In my experience, 99% of the times that people claim they need root access, they don't. It's just the quick and easy way out, so they take it.
Several possible solutions (Score:2)
1) Explicitly tie the home directory to specific machine(s) in the
2) Encrypt everything. If you are using the loopback filesystem encryption, you can NFS mount the home directory someplace else, then mount it via loopback over the user's home directory. Depending upon your level of paranoia, it could be mounted and unmounted as the user logs in, or it could be automatically mounted during the system boot. (This requires that the script know the password.) One potential downside is that you must specify how much space to allocate to the user up front... but then again this is an effective form of quotas, ensuring backups fit media, etc.
3) In a completely different direction, you should also evaluate Secure NFS. The recent glibc libraries include support for secure RPC, and I believe secure NFS ports are in progress. Once available, everyone should switch to secure NFS anyway to eliminate many of the problems associated with individuals having root access on their own system. (E.g., as a consultant I usually bring my own Linux laptop to the site... and I am not willing to surrender my root access to the typical IT drone.) Unfortunately, I don't know if secure NFS addresses your specific problem - the keys may be tied to the system, not the exported file system.
Well, geez.. (Score:2)
- Local users get sudo access to certain things. No need for local root.
- man 5 exports, and they setup your NFS server to squash root (under Linux, it's default, and you have to override with no_root_squash). For example, I use "/inst 192.168.0.0/255.255.255.0(ro,root_squash)" for my Slackware install NFS share. No need to export shares that allow root to muck up things.
Either way, you stop handing out root privileges like it's christmass -- a definite security benefit---
Re:Problem solved: sudo (Score:2)
First off, many programs provide shell escapes:
[lloyd@shirley lloyd]$ dc
!/bin/sh
bash$
and there are more where that came from. Give someone a root shell and all is lost (an easy "cp
Also, if the people are techie types they will tend to get pissed off if you take away root on their personal machines. And unless you take care to lock down every machine very tight, they'll do things like booting into single user mode, use boot disks, etc.
Personally I don't see the need for this at all, unless it's common for people to go from one office to the other editing files on their home machines. Just a big PITA (Pain In The Ass). If you happen to be on someone else's machine, ssh to your own.
Nope, don't think it's possible (Score:3)
Problem solved: sudo (Score:3)
Have you considered using sudo to give selective root access to users? sudo stands for "superuser do", and allows selective superuser access. sudo lets the admin define, in a shared config file, individual executables and scripts (by full path), and who they run as. You can give a user access to /bin/rpm as root, for example, so they can install packages, without giving them access to any thing else as root. You can also define rights by group and by machine, in addition to by user. Users use their own password to perform the function, so there are no extra passwords to distribute and remember. As an added bonus, sudo logs to syslog not only that user jsmith used sudo, but the entire command line -- very useful for auditing (where su logs only that the user became root).
Technical info: sudo is developed and maintained by Courtesan Consulting [courtesan.com]; the homepage is at http://www.courtesan.com/sudo/ [courtesan.com]; it is distributed under a BSD-style license [courtesan.com]; it is at version 1.6.3 [courtesan.com]. It compiles easily on (at least) Linux and Solaris (using gcc and Sun's native crap-piler, er, compiler), and lets you optionally define error message (there are some included and adding your own is simple). Here's [courtesan.com] a nutshell intrioduction.
I highly recommend it. We use it all the time. It takes a little bit of planning, as well as trial and error, to setup correctly, but once it is set up, it is a huge time saver.
In your situation, you would have to set up the complete config file (called sudoers) on an shared filesystem, make sure sudo is in everyone's path, and then change the root passwords on everyone's machine. You'll get a lot of complaints at first, naturally, and then you'll get a lot of requests like "Why can't I run foobarbaz.pl anymore?", which you would either have to add to the sudoers file or beat down the request.
darren
Cthulhu for President! [cthulhu.org]