Got a situation where some people in the network using Linux would like local admin rights. People have admin rights in Windows and the Linux users want more flexibility.
They need to be able to mount some nfs drives.
If they have local admin rights, even with root squash set for the nfs server, there is a danger that someone could change their UserID to something else and mount into someone else's home directory. If that someone else happens to have root access, ...
Is there any way to securely give someone local admin rights on their box and let them mount some NFS drives without this risk?
you can give sudo su access to user and in /etc/sudouser file you can define what all command he can access in that give him the access to mount command...
I believe NFS basically equates a remote root to "nobody". There are some minor loopholes but the main issue that you have I believe is solved by that.
Era, if no_root_squash is not set (meaning root squash = on), then it does this by default. Still the user with local su rights can change his userid he uses to mount the nfs drive. Some people with home directories there have su rights. If someone manages to login as someone who has su, then bad, bad things could happen. See Security and NFS for a more detailed explanation.
I was thinking it could work by giving those who want local admin in Linux no nfs access, but rather samba access, the same as Windows users. (slower, but secure)
Vidyahar85: thanks for trying to be helpful. Unfortunately it is in a network where we can't cross our fingers and hope it works.
NFSv4 has Kerberos authentication, but I am not sure how that could be used to ascertain that the id of the user doing the mounting is that actual person. Anyone been using this?
you know, the fstab file has one option that alows normal users to mount and unmount "things"
and "things" can include nfs mounts.
this option is defined per mount point.
man fstab and read about "user" and "users" (the s changes who can unmount it later)
When "users" has local admin rights, they can change their machine's "fstab" to "whatever" they want. They can also "do" things like "spoof" the nfs server "into" thinking they are someone else, "by" changing their "userid" or ip address. Problem still not solved.