L
linuxmonster
Hello,
Im trying to setup a multiuser environment booting from network.
The system is self distro based on Ubuntu debootstrap
I want to use nfs 4 with Kerberos to make the client machines authenticated so I'll know who is mounting the system.
I also want only the home folder of the user to be mounted so he wont be able to read the other home folders of other users and that way I can make sure that even if the system will be exploited and the user will get root access he will not get access to the entire file system.
I was thinking of doing this inside the initramfs, before mounting the file system I will get the Kerberos principal ticket and then mount the root file system as read only, using a keytab, and the user's home folder with the principal Kerberos ticket that I just obtained.
The problem, I cant figure out how to make the NFS export line to allow mounting only with a principal. Is there anyone who managed to use the netgroups that way? Or any other way to do that?
I think exports is ignoring the second and third fields of the netgroup file so they only take the host name from it
from the exports man:
NIS netgroups may be given as @group. Only the host part of each netgroup members is consider in checking for membership. Empty host parts or those containing a single dash (-) are ignored.
But then there is no other way to do that?
Thank you for the help.
Continue reading...
Im trying to setup a multiuser environment booting from network.
The system is self distro based on Ubuntu debootstrap
I want to use nfs 4 with Kerberos to make the client machines authenticated so I'll know who is mounting the system.
I also want only the home folder of the user to be mounted so he wont be able to read the other home folders of other users and that way I can make sure that even if the system will be exploited and the user will get root access he will not get access to the entire file system.
I was thinking of doing this inside the initramfs, before mounting the file system I will get the Kerberos principal ticket and then mount the root file system as read only, using a keytab, and the user's home folder with the principal Kerberos ticket that I just obtained.
The problem, I cant figure out how to make the NFS export line to allow mounting only with a principal. Is there anyone who managed to use the netgroups that way? Or any other way to do that?
I think exports is ignoring the second and third fields of the netgroup file so they only take the host name from it
from the exports man:
NIS netgroups may be given as @group. Only the host part of each netgroup members is consider in checking for membership. Empty host parts or those containing a single dash (-) are ignored.
But then there is no other way to do that?
Thank you for the help.
Continue reading...