2

We are using NIS services for users login for Unix accounts. We have test machines where users themselves install OS and they get root access. Users are using su from root account to NIS user accounts without passwords they are able to enter other NIS accounts easily. Is there any way we can restrict this option? I don't want allow any root user to login other users nis account.

Improve this question
7
  • this is a social problem rather than a technical problem (and there's no real way to solve it without disabling NIS entirely on those test machines). Issue a warning that this behaviour is unacceptable and terminate the accounts of anyone caught doing it. If this is within a company rather than a university, get HR to declare it a sackable offence. If in a university or school, expel or suspend the student (at least from that particular course). At most, you'll only have to do this once or twice before word gets around. Commented Mar 24, 2016 at 5:05
  • Hi cas, LDAP will fix this problem if i migrate ? Commented Mar 24, 2016 at 5:37
  • how could it? your users have root on the local (test) system and can do whatever they like. there is no way for the remote auth server to distinguish between a legitimate login from a user and a root user su-ing to a userid they shouldn't. Commented Mar 24, 2016 at 5:40
  • The description is not clear if local root users have access to NIS user account data or simply su to NIS user on their workstation because simply of a centralized account management. There a subtle difference between the two. -- One way of limiting root account is using Kerberos aware services, that way users will need to enter their password in order to get a ticket, so for example a root cannot read the nfs shared user home directory without a ticket. Anyway, you need to define the problem in more detail (what exactly needs protection, from who, etc...). Commented Mar 24, 2016 at 6:28
  • 1
    Can you set up a separate NIS domain and NFS server for the test systems? Can you deny NFS service to the test systems and require the use of samba/cifs instead? Commented Mar 24, 2016 at 9:15

1 Answer 1

Reset to default
1

Yes, there is a way to restrict this behaviour. This behaviour of su is governed by the PAM module (Plugable Authentication Module):

You must edit /etc/pam.d/su

comment the line :

auth sufficient pam_rootok.so

like this:

#auth sufficient pam_rootok.so

after that su from root will ask for the user password.

Improve this answer
1
  • Thanks plinn but it has to modify in client end. I want control from NIS server end itself. since users has root access to client machines they can edit this entry Commented Jun 8, 2016 at 16:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.