[olug] NIS / NFS permissions

Brian Roberson roberson at olug.org
Thu Jan 19 23:56:24 UTC 2006


responding to myself - now isnt that scary :)
....


  You could also rename/move/remove the chattr binary from your "secure"
nfs server





> If the filesystem is ext2/3 - you can make the home directories immutable
> using the chattr command
>
> example:
>
> chmod 700 /home/someuser
> chattr +i /home/someuser
>
>
> .... however .... you will run into the same problem once your admins
> discover the chattr command.
>
>
> I would suggest a 2 phased approach  - with the immutable property set, as
> well as checking / fixing on a timed basis.
>
>
>
>
>
>> Thanks for the input. I already brought up the idea of fixing the
>> permissions and maintaining them with something like this.
>> However, I have been given the edict to prevent the change.
>>
>>
>>
>> On 1/19/06, Brian Roberson <roberson at olug.org> wrote:
>>>
>>> quick script:
>>>
>>>
>>> #!/bin/bash
>>>
>>> cd /home && find . -type d -perm +077 -maxdepth 1 -name "*[a-z0-9]*"
>>> -print -exec chmod 700 {} \; > /tmp/out 2>&1
>>> if [ -s /tmp/out ] ; then
>>>         mail -s "home directory changes..." you at yourdomain.com <
>>> /tmp/out
>>>         rm -f /tmp/out
>>> fi
>>>
>>>
>>> schedule it via cron to run however frequently you like....
>>>
>>>
>>>
>>>
>>> > Hopefully someone has a quick answer to this one, as it has become a
>>> > stumper
>>> > to me.
>>> >
>>> > A bit of background:
>>> >
>>> > We are in the process of moving all our *nix boxes to nis as a stop
>>> gap
>>> > measure untill our aix systems can handle that new fangled ldap
>>> thing.
>>> >
>>> > We are also implementing comon home directories on a linux instance
>>> on
>>> > 390.
>>> > My problem is that some of our people work on *sensitive* material
>>> and
>>> > store
>>> > it in their home directories.
>>> > I have restricted access to the nfs server, and set all home
>>> directories
>>> > to
>>> > 700, but I have some *un-cooperative* admins who keep doing:
>>> >
>>> > cd /home
>>> > chmod 775 <MyHomeDir>
>>> >
>>> > On the server we are exporting /home with (rw,root_squash,sync), and
>> this
>>> > previous action leaves that users home dir readable by anyone. This
>>> is
>>> > unacceptable.
>>> >
>>> > Can anyone give me a quick idea on how to Prevent the chmod? I can't
>> just
>>> > take away chmod, as its needed for legitimate purposes. SELinux is
>>> out,
>>> > (no
>>> > one wants to open that can of worms yet).....
>>> >
>>> >
>>> >
>>> >
>>> > Andy
>>> > Marcus.<
>> https://www.redhat.com/training/certification/verify/index.html?rhce_cert_display:certno=807302339005657
>>>
>>> > _______________________________________________
>>> > OLUG mailing list
>>> > OLUG at olug.org
>>> > http://lists.olug.org/mailman/listinfo/olug
>>> >
>>>
>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> http://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>>
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>





More information about the OLUG mailing list