[olug] NIS / NFS permissions

Daniel Linder dan at linder.org
Fri Jan 20 03:40:40 UTC 2006



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, January 19, 2006 15:18, Mr Scsi wrote:

> My problem is that some of our people work on *sensitive* material
and

> store it in their home directories.



If it is sensitve and falls under HIPAA or SOX regulations, then you'll
probably have to have both good security measures and security accounting
practices (i.e. log users commands, etc).



> I have restricted access to the nfs server, and set all home
directories

> to 700, but I have some *un-cooperative* admins who keep doing:

> 

> cd /home

> chmod 775 <MyHomeDir>



If they are being truly un-cooperative because they do not want to work
within the guidelines that managment (or regulations) have set down, then
it is beyond a technology "fix" and is now a managment/HR
issue.  Even if you do come up with a solution today that stops them
from changing their home directory with a chmod, what's the next back door
they'll find?  If it is a HIPAA/SOX imposed regulation they are
bypassing, it could have severe finiancial reprecussions to both the
company and possibly themselves.



I believe that you can use the "sudo" command to both log and
permit combinations of actions.  In a simplistic world you could
permit a "sudo chmod 775 $X" where $X is not in (/home/*), but
then you start geting people who are creative with the $X variable
(/etc/../home/MyHomeDir).



Good luck!



Dan



- - - - -

"Wait for that wisest of all counselors, time." -- Pericles

"I do not fear computers, I fear the lack of them." -- Isaac
Asimov

GPG fingerprint:6FFD DB94 7B96 0FD8 EADF  2EE0 B2B0 CC47 4FDE 9B68

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD0Fu4srDMR0/em2gRAsqzAJ9/mhsoijYEXjoGyE3mGZykuGQz3gCgrr4e
kOEWiVx9QUa4goc7I6G/hYs=
=jspV
-----END PGP SIGNATURE-----


More information about the OLUG mailing list