NFS on HP9000/840, is single user access possible?

Bruce Rossiter arossite at .com
Thu Dec 28 05:01:15 AEST 1989


plb at cbnewsi.ATT.COM (peter.l.berghold) writes:
>frank at hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo):
	[ stuff deleted ]
>> I'm at a loss, though, as to how to accomplish the second objective: 
>> preventing unwanted access and maintaining security for other files
>> that might have to be exported along with his own.  e.g. if he has root
>> priviledges on his own workstation he could easily set-up UIDs to gain
>> read/write access to files that might be denied him otherwise.  Also,
>
>Not quite true.  A root ID on one system under NFS has a UID of -1 when
> going to a foreign system.  So, if you are required to have ROOT access
> to access files on the remote system, even though you may be root on the
> local system you will be denied access on the remote system.  I checked
> with my SUN counterpart here, and he tells me that this is consistant
> with what I have observed with the HP's.  I currently have several SUN
> workstations that access my HP9000/855 disks and have the owner's root
> logins on the HP's exported to the SUNs.  There has never been any
> security problems that I know of as a result.

	While what you say is true, a user with 'root' access on his
workstation can easily gain access to NFS files as *anyone* except 'root'.
He merely adds a entry in the password file for 'joeuser' and 'su's to 
that user.  Now the remote system will let him do anything that 'joeuser'
could do to files on the NFS mounted filesystem.(*)  This is the problem I
think Frank was talking about.  Standard NFS has no way (that I know of)
to avoid this.  SUN has "Secure NFS", but I've never used it, so I don't
know what problems it solves.  I don't know about HP...

						-Bruce Rossiter
arossite at oracle.oracle.com			 UNIX Systems Admin.
uunet!oracle!arossite				 Oracle Corporation

(*)  It's even easier in a workstation environment running 'yp', where
everyone has access to any workstation.  You just 'su' to root, then 'su'
to a user.  



More information about the Comp.unix.questions mailing list