[akonstam: Re: A security flaw question - a clarification]
Tomas Mraz
tmraz at redhat.com
Sun Jun 5 17:49:33 UTC 2005
On Sun, 2005-06-05 at 08:31 -0500, akonstam at trinity.edu wrote:
> > > Ok, now the question. I have been hearing from people about security
> > > flaws. Well what about about this. A number of our faculty have set up
> > > their personal machines as NIS clients. It makes it easier to get to
> > > their class related files. My feeling this is a tremendous security
> > > hole, since a first important step in hacking a machine might be logging in
> > > to the machine. Making faculty personal machines NIS clients
> > > means that any of the 1000 or so students can log in to the faculty
> > > machine. Does any one else think that this is a bad idea, or am I
> > > confused?
> No that is not the problem I am talking about. To hack a machine
> remotely is a hell of a lot harder to do from a different machine
> than it is if you are logged on to the machine you want to hack. It
> has nothing to so with whether or not the instructor leaves his
> machine logged on. Well not nothing but I am not talking about that
> situation.
>
> I am not concerned if people disagree with me but I am frustrated that
> I can't clearly formulate my question so people see what I am asking.
First, this is a wrong list to discuss this - you should have posted
this to fedora-list.
You can close this hole easily by adding 'account required
pam_access.so' to the system_auth pam config file. You will put all
instructors to some group - f.e. 'instructors' and add a line to the
/etc/security/access.conf:
'-:ALL EXCEPT root instructors:ALL'
This will disable login access for all people except root and
instructors.
--
Tomas Mraz <tmraz at redhat.com>
More information about the fedora-test-list
mailing list