Security problem with subsidiary SUN workstations

[Tony Tran]

Hello,

I am sure somebody mentioned this on the net somewhere, but I can't seem
to find a solution to it, so I am writing to the Spots for help.

We are having problem with root password on the workstation being on the
Yellow pages.

If a person has access to his local root password, he can su to anybody on
the main yp server, and accesses the files that belong to the new person
he is switching to.

Any hints on how to stop this security leak?

Thanks in advance,

Tony Tran
Versatec, Inc.
{sun|ames|pyramid}!versatc!tran

[[ Don't give a workstation's root password to its local user.  Not much
help, huh?  Other than that, I cannot think of any way to stop this sort
of abuse.  Also consider this.  Both A and B have accounts on X.  Only B
has an account on Y.  A knows the root password for X but not for Y.  B
has a .rhosts file on Y that includes X.  A can still log on Y as B:
become root on X; su B; rlogin Y.  *Poof*.  --wnl ]]