Date: Thu, 2 Apr 1998 15:26:25 +0300 (EEST) From: Narvi <narvi@haldjas.folklore.ee> To: Anton Voronin <anton@urc.ac.ru> Cc: Alfred Perlstein <perlsta@cs.sunyit.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Message-ID: <Pine.BSF.3.96.980402151856.22317G-100000@haldjas.folklore.ee> In-Reply-To: <35237E24.CF00B4D5@urc.ac.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Apr 1998, Anton Voronin wrote: > Alfred Perlstein wrote: > > > > i'd suggest -maproot=nobody > > also, make whatever dir's readonly if possible and nosuid where applicable. > > > > -Alfred > > > Unfortunately, mapping root to nobody is impossible while xdm writes into > .Xauthority in users home directories and dirs like authdir or xkb.compiled. > I'm affraid this topic is out of this mailing list, but would appreciate any > advise on how to avoid the need of mapping root to root. > I think there is an option to NFS to use kerberos tickets to authenticate users/user actions. Also, the home directories *should* be mounted nosuid on all of the clients *and* the server. The real problem is not the users smuggling in setuid programs but the users having access to other users data they should not see. Sander There is no love, no good, no happiness and no future - all these are just illusions. > [snip] > > -- > Anton Voronin | Ural Regional Center of FREEnet, > <anton@urc.ac.ru> | Southern Ural University, Chelyabinsk, Russia > http://www.urc.ac.ru/~anton | Student / programmer / system administrator > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980402151856.22317G-100000>