RE: problem with NIS

[Jim Bowen]

Title: problem with NIS

You shouldn't generally need root access except for new s/w installations or serious system reconfiguration.   If you have a user for the db software who owns all the config files involved, and the directories in which the db lives, then that user (not root) should have all the access it needs. We do it here for oracle and for mysql, and it works fine. Worst case, use sudo for the commands that they need beyond this.   Giving them root access in an NFS environment will _always_ be a problem. NFS implies trusted machines, which implies trusted admins.   One other possibility, if only the one user needs to use the machine that you don't control root on, would be to add a line to /etc/exports for each machine, with options of all_squash, anonuid=xxx, anongid=yyy with xxx and yyy being the user and group IDs to assume for ALL connections from that machine.   Hope that helps.   Jim   -----Original Message----- From: Avrahami David [mailto:[EMAIL PROTECTED]] Sent: 29 July 2002 16:57 To: '[EMAIL PROTECTED]' Subject: RE: problem with NIS   Right but some of them need root access for some reasons such local database installation -----Original Message----- From: Jim Bowen [mailto:[EMAIL PROTECTED]] Sent: Monday, July 29, 2002 17:27 To: '[EMAIL PROTECTED]' Subject: RE: problem with NIS Easy, don't allow them root access.   -----Original Message----- From: Avrahami David [mailto:[EMAIL PROTECTED]] Sent: 29 July 2002 15:24 To: 'redhat-list' Subject: problem with NIS   Hi, The problem is when the user login as root in his machine he get access to any other NIS user home directory he wants to by  "su - <anynisusername>" without typing any password. I know that it's a big hole in security caused by NIS but I don't know how to fix it. Any idea? TIA David Avrahami Email: [EMAIL PROTECTED]   ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ This E-Mail is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by telephone (+44 (0)870 241 6492) and return the original E-Mail to the sender without taking a copy. Cyprotex has taken all reasonable precautions to ensure that no viruses are transmitted from Cyprotex to any third party. Cyprotex accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this E-Mail or the contents.