SUMMARY: How to Disallowing "su" on client workstations from root

From: Martin Hofbauer Bacher Systems EDV (
Date: Tue Feb 21 1995 - 23:57:53 CST


My original question:

>We want to protect the home directory information from the root users
>of the clients. But they can do a "su - <username>" whitout a password.
>Do you know any possibility, maybe with NIS+ features, to prevent switching
>from root to a network-user without typing the password.

I have to mentioned that we have a company structure ( Sun Service Partner)
where many of my collagues have their workstation set up by themselves.
So we can not change our Enviroment that no one of these users know their
"root" passwords.

Many of the answer informed me about secure NFS:

The best way to do this is to run NFS in secure mode. We had the same problem and
secure mode fixed this issue. Check out the man pages on secure NFS.
     |Joshua Personius, Systems Support Engineer|
     | |

I looked closer to it in the Answerbook.
I have not tried it but I think because we are using NIS+ we can use it.

Other Answers:

I'm not too familiar with 2.4, but under 4.x, you really can't do what
you're talking about. The only thing I would recommend is to setup
syslog.conf to report any of those types of incidents to some "secure"
machine, and then question the user about it. Or you might want to yank
his root permissions right then and there.

It's my position that a network can't be secure with people running around
with root privileges.

If you have NIS+, I assume you have secure RPC credentials
for all your users. In that case, secure NFS is the answer, unless
otehr users log in to the workstations where the owners have root
access. (They'll give their secretkey to the keyserver on that
workstation and root cansubsequently use the key)

Caspar Dik


Martin Hofbauer
Sales Engineer
Bacher Systems EDV GmbH, SUN Master Reseller
A-1101 Vienna,Austria, Wienerbergstr. 11B
Tel: +43 (1) 60 126 ext 250 Fax: +43 (1) 60 126 ext 4

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:17 CDT