Roaming User Profiles
nl at lippman.org
Fri Jun 21 00:01:45 BST 2002
On Thursday 20 June 2002 01:59, Thomas L. Bevan wrote:
> People have already mentioned NFS, the network file system.
> This allows files and directories to be accessed on remote
> machines completely transparently as if they were local.
> The users will notice no difference.
> Typically, all the user and company data should be stored on one
> file server ( just a specially configured Linux box ) and the terminals
> would mount the user directories at boot.
> This is good not just for roaming profiles but also because it
> facilitates backingup et al. There are no security problems here that I
> know of if set up correctly.
I am not sure that this is entirely correct. If you were to export, for
instance, an entire /home partition on your nfs share, which contains subdirs
for /home/<user>, then anyone who has root access on any machine that is
allowed to mount that nfs export can access anyone's files. All they need to
do is su to root on a workstation, then su to any uid that they want, and
they can access any files on the nfs share that are owned by that uid. That's
because nfs servers basically trust the client to "tell the truth" as to who
is requesting access - but if you have root on a workstation, you can pretend
to be anyone you want.
I haven't been able to find any obvious way around this security hole - I'd
be interested in comments from someone on how to do this.
This message is from the kde mailing list.
Account management: http://mail.kde.org/mailman/listinfo/kde.
More info: http://www.kde.org/faq.html.
More information about the kde