[Gllug] NFS NIS

Ian Norton bredroll at atari.org
Fri Sep 28 09:29:58 UTC 2001


Hi folks,

For about 8 months now i have had my little network here running, there
have been a few annoyance issues with some services but mostly it did
what i want,

the current setup is as follows, 

I have a p133 with linux 2.4.0 running NIS, It also has 2 net cards
(provision for uni, one is for my uni ethernet socket and other to go to
my hub, running pretty tight iptables rules, bit of portforwarding, SNAT
etc,yaddayadda)

i have exported /home with NFS, (shudder) at home this is not a problem
at home. but for uni i would kind of like to be a hell of a lot more
secure, (attending a university where one day i sat down and watched
someone do some creative network hacking and get himself mounted to the
staff nfs shares.)

i would like my three workstations to be able to SECURELY mount the home
directory on the server as thier own /home or maybe /mnt/homes (thinking
about it i use very different X setups on all the boxes)

one issue i have had with NFS and NIS is this,

i could walk in, plug in my laptop and elect for it to use ypbind, it
binds to my nis domain, and finishes booting,

i then su, mount the /home on the laptop, (at current exports are for
specific hosts only but ip spoofing is fairly simple)

then su to a user give by nis, bang, i can read/write the nfs share!
(the person doing this could be anyone with root on thier own laptop)

ideas about restricting what can bind to nis would be appreciated. (or
could i simply restrict timed?/portmap)

please tell me if i have missed the point of my message entirely :-)

bredroll


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list