tran@versatc.UUCP (Tony Tran) (11/15/88)
We run into a big security problem on our SUN local network when a user who has access to root (on the local workstation) decides to "su" to any valid username on the YP server, and therefore access any file he wants. Since I cannot keep track of all local root users in the SUN NFS environment, how can I get around this serious problem ? Any hint/advice would be greatly appreciated. Tony Tran -- UUCP: {sun|ames|pyramid|vsi1|mips}!versatc!tran Tony Tran Versatec, 2805 Bowers Avenue, Santa Clara, Calif 95051 (408)982-4317
gwyn@smoke.BRL.MIL (Doug Gwyn ) (11/16/88)
In article <3228@versatc.UUCP> tran@versatc.UUCP (Tony Tran) writes: > Since I cannot keep track of all local root users in the SUN NFS > environment, how can I get around this serious problem ? Our solution was: Don't use the Yellow Pages. Actually there are other security problems with random superusers on Suns on a local net.
ray3rd@ssc-vax.UUCP (Ray E Saddler III) (11/17/88)
In article <3228@versatc.UUCP>, tran@versatc.UUCP (Tony Tran) writes: > We run into a big security problem on our SUN local network when a user > who has access to root (on the local workstation) decides to "su" to > any valid username on the YP server, and therefore access any file > he wants. > Since I cannot keep track of all local root users in the SUN NFS > environment, how can I get around this serious problem ? > Any hint/advice would be greatly appreciated. Tighten up your allowance to root access. This is a big religious/political issue in many many newsgroups and the bottom line is to simply enforce limits. I have a network of over 60 engineering workstations (Unix based) which includes a few Suns, and provide the user community with a support staff of 5 bodies whos primary task is to keep the network in good shape. The only other option is to define laws and hope for compliance from your many root users. -- | Ray E. Saddler III | __ __ __ __ | Path: ..!ssc-vax!ray3rd | | Boeing Aerospace | / / / // //| // | From: ray3rd@ssc-vax.UUCP | | P.O. Box 3999 m.s. 3R-05 | /-< / //- // |// _ |---------------------------| | Seattle, Wa. 98124 USA | /__//_//__ // //__/ | VoiceNet: (206) 657-2824 |
tran@versatc.UUCP (Tony Tran) (11/18/88)
In article <2374@ssc-vax.UUCP>, ray3rd@ssc-vax.UUCP (Ray E Saddler III) writes: > In article <3228@versatc.UUCP>, tran@versatc.UUCP (Tony Tran) writes: > > We run into a big security problem on our SUN local network when a user > > who has access to root (on the local workstation) decides to "su" to > > any valid username on the YP server, and therefore access any file > > he wants. > > Since I cannot keep track of all local root users in the SUN NFS > > environment, how can I get around this serious problem ? > > Any hint/advice would be greatly appreciated. > > Tighten up your allowance to root access. I tried to tighten up the security by removing the "+" sign in /etc/hosts.equiv, and bingo, it seemed to fix the above leak. Local root user can "su" to anybody, but as soon as he rlogin to another SUN, it will prompt him for the password. HOWEVER, we no longer can rsh from our station to the YP server, which happens to have the only networked laser printer. Needless to say, we can no longer print remotely to our only network laser printer. Any idea how to fix the network printer problem? Tony Tran PS. BTW, I heard that secure NFS on SUN OS 4.0.1 will fix this problem but I am not sure