From owner-freebsd-security  Thu Apr  2 13:41:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA09100
          for freebsd-security-outgoing; Thu, 2 Apr 1998 13:41:57 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA09067
          for <freebsd-security@FreeBSD.ORG>; Thu, 2 Apr 1998 13:41:47 -0800 (PST)
          (envelope-from Peter.Jeremy@alcatel.com.au)
Received: from mfg1.cim.alcatel.com.au ([139.188.23.1])
 by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695)
 with ESMTP id <01IVFB0BCXC0003CY2@gatekeeper.alcatel.com.au> for
 freebsd-security@FreeBSD.ORG; Fri, 3 Apr 1998 07:39:26 +1000
Received: from cbd.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #23324)
 with ESMTP id <01IVFB0859U8C2ID8G@cim.alcatel.com.au>; Fri,
 03 Apr 1998 07:39:22 +1000
Received: from gsms01.alcatel.com.au by cbd.alcatel.com.au (PMDF V5.1-7 #U2695)
 with ESMTP id <01IVFB05M75SAZTQUW@cbd.alcatel.com.au>; Fri,
 03 Apr 1998 07:39:18 +1100
Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3)
 id HAA22187; Fri, 03 Apr 1998 07:39:16 +1000 (EST)
Date: Fri, 03 Apr 1998 07:39:16 +1000 (EST)
From: Peter Jeremy <Peter.Jeremy@alcatel.com.au>
Subject: Re: Is there a safe way for filesystem export?
To: freebsd-security@FreeBSD.ORG
Cc: anton@urc.ac.ru
Message-id: <199804022139.HAA22187@gsms01.alcatel.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Thu, 02 Apr 1998 18:01:40 +0600, Anton Voronin <anton@urc.ac.ru> wrote:
>Unfortunately, mapping root to nobody is impossible while xdm writes into
>.Xauthority in users home directories
Updating .Xauthority doesn't have to be done as root.  It should be done
as the user being logged in (the current implementation doesn't - which
may be a security hole).  Since FreeBSD includes a `saved set-user-ID',
changing xdm to flip uids whilst writing .Xauthority should be fairly
simple.

> and dirs like authdir or xkb.compiled.
`authdir' could (and probably should, since xdm doesn't clean up after
itself) be on a MFS partition - ie a protected subdirectory in /tmp.

As far as I know, xdm doesn't affect xdm.compiled - the X server might
though.  I haven't played with the XKB extension and can't offer any
suggestions here.

Note that the Sun's NFS implementations include the ability to use
`Secure RPC' - ie DES encryption.  I don't know if the relevant hooks
are in FreeBSD.

Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5247

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message