[olug] NIS / NFS permissions

Brian Roberson roberson at olug.org
Thu Jan 19 23:45:21 UTC 2006


If the filesystem is ext2/3 - you can make the home directories immutable
using the chattr command

example:

chmod 700 /home/someuser
chattr +i /home/someuser


.... however .... you will run into the same problem once your admins
discover the chattr command.


I would suggest a 2 phased approach  - with the immutable property set, as
well as checking / fixing on a timed basis.





> Thanks for the input. I already brought up the idea of fixing the
> permissions and maintaining them with something like this.
> However, I have been given the edict to prevent the change.
>
>
>
> On 1/19/06, Brian Roberson <roberson at olug.org> wrote:
>>
>> quick script:
>>
>>
>> #!/bin/bash
>>
>> cd /home && find . -type d -perm +077 -maxdepth 1 -name "*[a-z0-9]*"
>> -print -exec chmod 700 {} \; > /tmp/out 2>&1
>> if [ -s /tmp/out ] ; then
>>         mail -s "home directory changes..." you at yourdomain.com <
>> /tmp/out
>>         rm -f /tmp/out
>> fi
>>
>>
>> schedule it via cron to run however frequently you like....
>>
>>
>>
>>
>> > Hopefully someone has a quick answer to this one, as it has become a
>> > stumper
>> > to me.
>> >
>> > A bit of background:
>> >
>> > We are in the process of moving all our *nix boxes to nis as a stop
>> gap
>> > measure untill our aix systems can handle that new fangled ldap thing.
>> >
>> > We are also implementing comon home directories on a linux instance on
>> > 390.
>> > My problem is that some of our people work on *sensitive* material and
>> > store
>> > it in their home directories.
>> > I have restricted access to the nfs server, and set all home
>> directories
>> > to
>> > 700, but I have some *un-cooperative* admins who keep doing:
>> >
>> > cd /home
>> > chmod 775 <MyHomeDir>
>> >
>> > On the server we are exporting /home with (rw,root_squash,sync), and
> this
>> > previous action leaves that users home dir readable by anyone. This is
>> > unacceptable.
>> >
>> > Can anyone give me a quick idea on how to Prevent the chmod? I can't
> just
>> > take away chmod, as its needed for legitimate purposes. SELinux is
>> out,
>> > (no
>> > one wants to open that can of worms yet).....
>> >
>> >
>> >
>> >
>> > Andy
>> > Marcus.<
> https://www.redhat.com/training/certification/verify/index.html?rhce_cert_display:certno=807302339005657
>>
>> > _______________________________________________
>> > OLUG mailing list
>> > OLUG at olug.org
>> > http://lists.olug.org/mailman/listinfo/olug
>> >
>>
>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>





More information about the OLUG mailing list