Date: Thu, 29 Jan 2004 18:02:51 +0200 From: Matthew West <mwest@uct.ac.za> To: Ceri Davies <ceri@FreeBSD.org> Cc: youngflashin@yahoo.com Subject: Re: misc/61774: nis security issue Message-ID: <20040129160251.GA70586@apotheosis.org.za> In-Reply-To: <200401231137.i0NBbt9B007658@freefall.freebsd.org> References: <200401231137.i0NBbt9B007658@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Using export(5)'s maproot option doesn't prevent a user on an NFS client from becoming root, and then using "su" to become another user and access that user's files. A solution to this problem is to use Kerberos tickets instead of Unix user credentials. Unfortunately, FreeBSD does not currently have a Kerberised NFS implementation. You could try using something other than NFS to allow clients access to their files; likely candidates are Coda, AFS and SFS. SFS (http://www.fs.net/ - ports/security/sfs) is probably the easiest to get going with, as you don't need to have a pre-existing Kerberos infrastructure to use it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040129160251.GA70586>