From owner-freebsd-security  Thu Apr  2 08:36:56 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA10665
          for freebsd-security-outgoing; Thu, 2 Apr 1998 08:36:56 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA10649
          for <freebsd-security@freebsd.org>; Thu, 2 Apr 1998 08:36:51 -0800 (PST)
          (envelope-from patl@phoenix.volant.org)
From: patl@phoenix.volant.org
Received: from asimov.phoenix.volant.org [205.179.79.65] 
	by phoenix.volant.org with smtp (Exim 1.62 #1)
	id 0yKmyx-0003TP-00; Thu, 2 Apr 1998 08:36:51 -0800
Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4)
	id IAA22670; Thu, 2 Apr 1998 08:35:01 -0800
Date: Thu, 2 Apr 1998 08:35:01 -0800 (PST)
Reply-To: patl@phoenix.volant.org
Subject: Re: Is there a safe way for filesystem export?
To: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980402095142.21311B-100000@fledge.watson.org>
Message-ID: <ML-3.3.891534901.311.patl@asimov>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

> On Thu, 2 Apr 1998, Anton Voronin wrote:
> 
> > > i'd suggest -maproot=nobody
> > > also, make whatever dir's readonly if possible and nosuid where
> > > applicable. 
> >
> > Unfortunately, mapping root to nobody is impossible while xdm writes into
> > .Xauthority in users home directories and dirs like authdir or
> > xkb.compiled. I'm affraid this topic is out of this mailing list, but
> > would appreciate any advise on how to avoid the need of mapping root to
> > root. 
> 
> Anton,
> 
> I have never experienced the problem you describe -- I ran for a long time
> last summer on a FreeBSD 2.2.1 (or was it .2?) with XFree86 and xdm
> running, and my home directory mounted from a Solaris file server where
> NFS-root was mapped to nobody.  In the version of xdm I am currently
> running (patched for Krb4), the call to SetUserAuthorization is definitely
> after the setting of credentials on the child process.

I suspect the significant point here is that whatever partition
has the xdm binary must not re-map root, and must allow suid.

I would export /usr and other exported system partitions read-only,
with no userid remapping and allowing suid.  The partition(s) holding
user home directories would be exported read/write with root->nobody
and nosuid.


-Pat

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message