> Its the NFS export options - i.e. root_squash that needs to be used. root_squash will only prevent the remote root (uid 0) account from modifying files as root. It can't prevent the remote root account from su'ing to a user account and then masquerading as a user. I once admined a small group of machines for the team I was on that was part of a larger, enterprise network. As such, I had root on our machines, but not the centralized NFS servers (which used the root_squash option). It was a pain because when one of the team members had a package in their home directory that they wanted installed, I couldn't access their home as root (tight permissions on the home directories), so I would have to su as them, then I could copy the package to /tmp where I could then access it as root.
That's not to say that root_squash is useless -- it prevents root on one machine from placing a suid (0) binary on the share, which could be used as a Trojan horse to get elevated privileges on a different machine. Terry use StandardDisclaimer.pm
