From owner-freebsd-security  Thu Apr  2 16:47:44 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12645
          for freebsd-security-outgoing; Thu, 2 Apr 1998 16:47:44 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12515
          for <freebsd-security@FreeBSD.ORG>; Thu, 2 Apr 1998 16:47:25 -0800 (PST)
          (envelope-from narvi@haldjas.folklore.ee)
Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged))
          by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP
	  id PAA13820; Thu, 2 Apr 1998 15:26:25 +0300 (EEST)
Date: Thu, 2 Apr 1998 15:26:25 +0300 (EEST)
From: Narvi <narvi@haldjas.folklore.ee>
To: Anton Voronin <anton@urc.ac.ru>
cc: Alfred Perlstein <perlsta@cs.sunyit.edu>, freebsd-security@FreeBSD.ORG
Subject: Re: Is there a safe way for filesystem export?
In-Reply-To: <35237E24.CF00B4D5@urc.ac.ru>
Message-ID: <Pine.BSF.3.96.980402151856.22317G-100000@haldjas.folklore.ee>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk


On Thu, 2 Apr 1998, Anton Voronin wrote:

> Alfred Perlstein wrote:
> > 
> > i'd suggest -maproot=nobody
> > also, make whatever dir's readonly if possible and nosuid where applicable.
> > 
> > -Alfred
> > 
> Unfortunately, mapping root to nobody is impossible while xdm writes into
> .Xauthority in users home directories and dirs like authdir or xkb.compiled.
> I'm affraid this topic is out of this mailing list, but would appreciate any
> advise on how to avoid the need of mapping root to root.
> 

I think there is an option to NFS to use kerberos tickets to authenticate
users/user actions. 

Also, the home directories *should* be mounted nosuid on all of the
clients *and* the server.

The real problem is not the users smuggling in setuid programs but the
users having access to other users data they should not see.

	Sander

	There is no love, no good, no happiness and no future -
	all these are just illusions.

> 

[snip]

> 
> -- 
> Anton Voronin                | Ural Regional Center of FREEnet,
> <anton@urc.ac.ru>            | Southern Ural University, Chelyabinsk, Russia
> http://www.urc.ac.ru/~anton  | Student / programmer / system administrator
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message