From owner-freebsd-bugs@FreeBSD.ORG  Thu Jan 29 08:03:11 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 06AE616A4CE; Thu, 29 Jan 2004 08:03:11 -0800 (PST)
Received: from apotheosis.cs.uct.ac.za (apotheosis.cs.uct.ac.za
	[137.158.128.26])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D606643D53; Thu, 29 Jan 2004 08:02:40 -0800 (PST)
	(envelope-from mwest@uct.ac.za)
Date: Thu, 29 Jan 2004 18:02:51 +0200
From: Matthew West <mwest@uct.ac.za>
To: Ceri Davies <ceri@FreeBSD.org>
Message-ID: <20040129160251.GA70586@apotheosis.org.za>
References: <200401231137.i0NBbt9B007658@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200401231137.i0NBbt9B007658@freefall.freebsd.org>
User-Agent: Mutt/1.4.1i
cc: freebsd-bugs@FreeBSD.org
cc: youngflashin@yahoo.com
Subject: Re: misc/61774: nis security issue
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2004 16:03:11 -0000

Using export(5)'s maproot option doesn't prevent a user on an NFS
client from becoming root, and then using "su" to become another user
and access that user's files.

A solution to this problem is to use Kerberos tickets instead of Unix
user credentials.  Unfortunately, FreeBSD does not currently have a
Kerberised NFS implementation.

You could try using something other than NFS to allow clients access
to their files; likely candidates are Coda, AFS and SFS.

SFS (http://www.fs.net/ - ports/security/sfs) is probably the easiest
to get going with, as you don't need to have a pre-existing Kerberos
infrastructure to use it.