What's the best way to mitigate NFS and sudo?

Posted by user225874 on Server Fault See other posts from Server Fault or by user225874
Published on 2014-06-12T03:35:15Z Indexed on 2014/06/12 15:28 UTC
Read the original article Hit count: 317

Filed under:

linux

|

nfs

|

sudo

|

root

Quick background: We have 40 workstations running Linux. NFS is used extensively for bulk data storage and home directories. This allows users to roam freely will relatively transparent file systems.

This is an educational environment where postdocs and students have successfully pulled off a coup of sorts. All have gained root on their individual workstations by grooming a technophobic PI who thinks IT people are evil. If I so much as suggest chroot or sudo restrictions, I'll find myself working out of a broom closet.

With that in mind, what's the best way to mitigate something like this below?

$ hostname
workstation1
$ whoami
john
$ sudo su jane
$ whoami
jane
$ cp -R /home/nfs/jane /mnt/thumbdrive/

© Server Fault or respective owner

Related posts about linux

apt-get install and update fail

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got a problem with apt-get update and apt-get install ... commands . every time update or installing fails and errors are : Get:1 http://dl.google.com stable Release.gpg [198B] Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US Get:2 http://dl… >>> More
kernel module compiling error

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
sh@ubuntu:/home/ccpp/helloworld$ make gcc-4.6 -O2 -DMODULE -D_KERNEL_ -W -Wall -Wstrict-prototypes -Wmissing-prototypes -isystem /lib/modules/`uname -r`/build/include -c -o hello-1.o hello-1.c hello-1.c:4:0: warning: "MODULE" redefined [enabled by default] <command-line>:0:0: note: this is… >>> More
Build-Essentials installation failing

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am having trouble accessing the several critical header files that show to be a part of the build process. The "Ubuntu Software Center" shows "Build Essentials" as installed: Next I did the following two commands, which did not improve the problem: ~$ sudo apt-get install build-essential [sudo]… >>> More
Updating Debian kernel

as seen on Super User - Search for 'Super User'
I'm trying to update my Debian machine to 2.6.32-46 (which is the new stable). However, after doing apt-get update my apt-cache search linux-image shows me: linux-headers-2.6.32-5-486 - Header files for Linux 2.6.32-5-486 linux-headers-2.6.32-5-686-bigmem - Header files for Linux 2.6.32-5-686-bigmem linux-headers-2… >>> More
Serial connection over a single USB cable (Windows to linux, or linux to linux)

as seen on Server Fault - Search for 'Server Fault'
I'm helping out with a project for an embedded device that only has USB and no serial. This device is running Linux. These days, when we need to connect to a serial port on a device we typically use a USB to serial adapter (on something like a phone system or a load balancing device, etc). I would… >>> More

Related posts about nfs

12.10 update breaks NFS mount

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've just upgraded to the latest 12.10 beta. Rebooted twice. The problem is with the NFS folders not mounting, here's a verbose log. # mount -v myserver:/nfs_shared/tools /tools/ mount: no type was given - I'll assume nfs because of the colon mount.nfs: timeout set for Mon Oct 1 11:42:28 2012 mount… >>> More
NFS to NFS mount

as seen on Server Fault - Search for 'Server Fault'
I have a machine that I need to bridge NFS files to. Can I mount an NFS directory on machine2 from machine1 and then mount the mounted NFS directory on machine2 on machine3 via NFS? Do you see any problems with that? I am basically bridging some subnet domains this way, in a certain fashion. My development… >>> More
CentOS 5.4 NFS v4 client file permissions differ from original files & NFS Share file contents

as seen on Server Fault - Search for 'Server Fault'
Having a strange problem with NFS share and file permissions on the 1 out of the 2 NFS clients, web1 has file permissions issues but web2 is fine. web1 and web2 are load balanced web servers. So questions are: how do I ensure NFS share file contents retain the same permissions for user/group as… >>> More
Slow NFS and GFS2 performance

as seen on Server Fault - Search for 'Server Fault'
Recently I've designed and configured a 4 node cluster for a webapp that does lots of file handling. The cluster have been broken down into 2 main roles, webserver and storage. Each role is replicated to a second server using drbd in active/passive mode. The webserver does a NFS mount of the data… >>> More
NFS (with Kerberos) mount failing due to "Server not found in Kerberos database" error

as seen on Server Fault - Search for 'Server Fault'
When running: `sudo mount -t nfs4 -o sec=krb5 sol.domain.com:/ /mnt` I get this error on the client: mount.nfs4: access denied by server while mounting sol.domain.com:/ And on the server syslogs UNKNOWN_SERVER: authtime 0, nfs/[email protected] for nfs/ip-#-#-#-#.ec2.internal@SOL… >>> More