What's the best way to mitigate NFS and sudo?
- by user225874
Quick background: We have 40 workstations running Linux. NFS is used extensively for bulk data storage and home directories. This allows users to roam freely will relatively transparent file systems.
This is an educational environment where postdocs and students have successfully pulled off a coup of sorts. All have gained root on their individual workstations by grooming a technophobic PI who thinks IT people are evil. If I so much as suggest chroot or sudo restrictions, I'll find myself working out of a broom closet.
With that in mind, what's the best way to mitigate something like this below?
$ hostname
workstation1
$ whoami
john
$ sudo su jane
$ whoami
jane
$ cp -R /home/nfs/jane /mnt/thumbdrive/