I read somewhere that in a NIS setup (if you use NIS for authentication) then someone can plug their own laptop in, for example, 'su' to root (using their own passwd files), and then 'su' to any user available on NIS without needing a password.

has anyone done this??

Yes.

NIS just makes the password maps available to all the clients on the network, its then down to the clients to do the actual authentication - NIS can't force that.

When you access most services such as traditional NFS the server relies on the client being honest about who's logged in... ie the client just sends a user ID to the server. If you plug in a foreign (untrusted) machine you can send whatever user ID you want.

To make this setup slightly more secure you can create netgroups (basically a list of clients you trust) and export your NFS filesystems only to those groups. Of course the security of this relies only on trivial to change IP addresses.

Alternatively you could use an authentication scheme such as Kerberos which is much more secure. An authentication server checks you are who you say (and the clients don't have to be trusted) and then allows you to access the service.

Once you've got it set up you have to enable it on a per-service basis (by editing pam.conf).

PS you can use netgroups for every service on a machine using /etc/hosts.allow and /etc/hosts.deny

check the man pages though