Date: Thu, 2 Apr 1998 09:57:13 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Anton Voronin <anton@urc.ac.ru> Cc: Alfred Perlstein <perlsta@cs.sunyit.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Message-ID: <Pine.BSF.3.96.980402095142.21311B-100000@fledge.watson.org> In-Reply-To: <35237E24.CF00B4D5@urc.ac.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Apr 1998, Anton Voronin wrote: > > i'd suggest -maproot=nobody > > also, make whatever dir's readonly if possible and nosuid where applicable. > > Unfortunately, mapping root to nobody is impossible while xdm writes into > .Xauthority in users home directories and dirs like authdir or xkb.compiled. > I'm affraid this topic is out of this mailing list, but would appreciate any > advise on how to avoid the need of mapping root to root. Anton, I have never experienced the problem you describe -- I ran for a long time last summer on a FreeBSD 2.2.1 (or was it .2?) with XFree86 and xdm running, and my home directory mounted from a Solaris file server where NFS-root was mapped to nobody. In the version of xdm I am currently running (patched for Krb4), the call to SetUserAuthorization is definitely after the setting of credentials on the child process. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980402095142.21311B-100000>