SUMMARY: How could root be able to write normal users' files on a nis client

From: Jiang Wu <toughwu_at_yahoo.com>
Date: Sun Sep 26 2004 - 11:55:29 EDT
Thanks for your advices! The problem has been solved!

Frank

----- Original Message ----- 

> I just install nis in our local network of solaris 8 workstations.
> However, I found the root account on the nis clients are not able to make
> changes to files or directories of normal user's. Maybe it looks to the
> mounted user directories that the local root account only has the
authority of
> "other". Is ther any was to solve this problem except changing the mode of
the
> user account directories.

That is intentionl; you should be root on the NFS file server.
(or export with root access, but that is generally frowned upon)

Casper

as i understand your problem,
you must enable root accounts of clients to become (stay) root (uid 0)
and have write access on the resources shared by the server.
On server in /etc/dfs/dfstab
share -F nfs -o root=client1:client2,rw=client1:client2 -d "Homes"
/export/home

Laurent larquere

That's a feature, not a bug. Root on another machine is mapped to uid
-1 unless you explictly share to that machine with root access. This
prevents someone from replacing a client with a box they have root on
and moesting other people's files.

Your best bet is to do root work on the primary server. You really
don't want to spread root access around to the clients. If you spread
the home space among the clients, just make one machine authoritative
and allow all the clients to share to that one machine with root
authority. The NIS master might be a good root authority machine, since
you will take better care of that machine, presumably.

Allan West

I assume these users' files are located on an NFS share ?

If so, this is a security feature of NFS.
You do not usually want root on one system to have root access on all
systems, hence it squashes to root user's effective UID to be that of
the nobody user.

You should think very carefully before implementing this, however [0]
states that you can get arround it by exporting the share with anon=0

Example:

share -o anon=0 /export/home/stuff

alternatively, you can allow root access on a per-host basis

share -o root=host1,host2 /export/home/stuff

Nathan Dietsch

This is more of an nfs issue than nis.  nfs normally changes uid root to
uid nobody for nfs filesystems in an attempt to prevent the root user from
abusing their access on nfs shares.  You can get around this by su'ing to
the user whose files you want to access.  You can disable this 'feature'
entirely by setting root access in the dfstab file on your nfs server (see
man dfstab for correct syntax).

Doug Granzow

your user dirs are nfs-mounted?  client roots must be granted explicit
privs in the expoort.  this is a network security issue.

Sandwich Maker
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Sun Sep 26 11:55:21 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:37 EST