[olug] NIS / NFS permissions

Mr Scsi mrscsi at gmail.com
Fri Jan 20 14:50:59 UTC 2006


All of the what you say is true and even written policy.
However, we are in the midst of a culture change from the 'good ole days'
when bad habits became normal s.o.p.
Change is slow and difficult to enact in cases like that. Unfortunately the
government doesn't care about our culture when we get security audits.

>So they are going in and changing the permissions on *other* people's
>directories?
No they are changing their own permissions. But anyone that is logged into
the same server at the same time then has read perms.
I was hoping for an NFS hack or trick that could keep the permissions set
without denying write to the owner.

The chattr -i locks the entire directory and makes it read only :)

I suppose that I'll just have to implement a cron job to reset perms and
document a 'technically imposibility' to prevent changes in a normal work
environment.



On 1/19/06, Christopher Cashell <topher at zyp.org> wrote:
>
> At Thu, 19 Jan 06, Unidentified Flying Banana Mr Scsi, said:
> > We are also implementing comon home directories on a linux instance on
> 390.
> > My problem is that some of our people work on *sensitive* material and
> store
> > it in their home directories.
> > I have restricted access to the nfs server, and set all home directories
> to
> > 700, but I have some *un-cooperative* admins who keep doing:
> >
> > cd /home
> > chmod 775 <MyHomeDir>
>
> So they are going in and changing the permissions on *other* people's
> directories?
>
> Enforcing technical restrictions becomes very difficult when you're
> dealing with people who have root/administrative access.  People with
> that kind of access should be accountable to corporate policies and
> regulations, as opposed to technical measures.
>
> I would suggest that anyone who is changing permissions on home
> directories for other people, unless it is done directly at the request
> of the person who owns the data, are a very fairly problem.  If there
> is an explicit policy in place requiring that they not make changes like
> that, and they're still being "un-cooperative" and doing it anyway, then
> You have a *very* serious problem.
>
> At most of the places I've worked, activities like the above would be
> considered abuse of access, and will get your root/administrative access
> revoked.  Repeated abuses like that would be grounds for termination.
>
> > Andy Marcus
>
> --
> | Christopher
> +------------------------------------------------+
> | Here I stand.  I can do no other.              |
> +------------------------------------------------+
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list