2

We are using NIS services for users login for Unix accounts. We have test machines where users themselves install OS and they get root access. Users are using su from root account to NIS user accounts without passwords they are able to enter other NIS accounts easily. Is there any way we can restrict this option? I don't want allow any root user to login other users nis account.

techraf
  • 5,831
  • 10
  • 33
  • 51
sagar
  • 259
  • 1
  • 3
  • 7
  • this is a social problem rather than a technical problem (and there's no real way to solve it without disabling NIS entirely on those test machines). Issue a warning that this behaviour is unacceptable and terminate the accounts of anyone caught doing it. If this is within a company rather than a university, get HR to declare it a sackable offence. If in a university or school, expel or suspend the student (at least from that particular course). At most, you'll only have to do this once or twice before word gets around. – cas Mar 24 '16 at 05:05
  • Hi cas, LDAP will fix this problem if i migrate ? – sagar Mar 24 '16 at 05:37
  • how could it? your users have root on the local (test) system and can do whatever they like. there is no way for the remote auth server to distinguish between a legitimate login from a user and a root user `su`-ing to a userid they shouldn't. – cas Mar 24 '16 at 05:40
  • The description is not clear if local root users have access to NIS user account data or simply su to NIS user on _their_ workstation because simply of a centralized account management. There a subtle difference between the two. -- One way of limiting root account is using Kerberos aware services, that way users will need to enter their password in order to get a ticket, so for example a root cannot read the nfs shared user home directory without a ticket. Anyway, you need to define the problem in more detail (what exactly needs protection, from who, etc...). – nkms Mar 24 '16 at 06:28
  • Hi nkms, We have nis setup users accounts for unix users. We are using nfs to mount or auto mount users directories. We have provided test workstation to unix users. They always do reinstall different unix distro every day. The problem is user has to configure nis client services on test workstation. users has local root access in their test workstation (We can not avoid this). Any user can switch to any NIS account if they knows nis username by giving just su - username. I want to prevent local root users to access nis users home directories. So this want i require. – sagar Mar 24 '16 at 08:11
  • 1
    Can you set up a separate NIS domain and NFS server for the test systems? Can you deny NFS service to the test systems and require the use of samba/cifs instead? – Mark Plotnick Mar 24 '16 at 09:15
  • Ok let me try this – sagar Mar 24 '16 at 09:19

1 Answers1

1

Yes, there is a way to restrict this behaviour. This behaviour of su is governed by the PAM module (Plugable Authentication Module):

You must edit /etc/pam.d/su

comment the line :

auth       sufficient pam_rootok.so

like this:

#auth       sufficient pam_rootok.so

after that su from root will ask for the user password.

Plinn
  • 111
  • 1
  • Thanks plinn but it has to modify in client end. I want control from NIS server end itself. since users has root access to client machines they can edit this entry – sagar Jun 08 '16 at 16:02