Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Mar 2009 18:10:51 +0200
From:      Manolis Kiagias <sonic2000gr@gmail.com>
To:        Lazaro Daniel Salem <SALEM@StatoilHydro.com>,  mailto:lazaro.d.salem@gmail.com
Cc:        doc@FreeBSD.org
Subject:   Re: FreeBSD Jumpstart Guide
Message-ID:  <49AD568B.10201@gmail.com>
In-Reply-To: <C2119180D36EF54A97C37702A529941F0121D7A3@ST-EXCL13.statoil.net>
References:  <C2119180D36EF54A97C37702A529941F0121D7A3@ST-EXCL13.statoil.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Lazaro Daniel Salem wrote:
> Hi! 
>  
> In this very nice article  
>  
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/article.html
>  
> it is said:
>  
> Warning!!: This procedure will make the "Server" both insecure and
> dangerous, it is best to just keep the "Server" on its own hub and not
> in any way accessible by any machines other than the "Clients".
> <http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/article.html>;  
>  
> I assume exporting NFS to the whole (sub)network and running tftp makes
> the system more vulnerable though I am not sure I remember all the
> details.

Just by reading the article (and not ever having performed this) it
seems this is the insecure part:

(/etc/exports)

/usr -alldirs -ro

This is exporting to the whole world - in theory someone from the
Internet could mount it.
It would be a lot safer if it where:

/usr   -network 10.8.253.0 -mask 255.255.255.0 -alldirs -ro

(using the network the author provides in the sample dhcpd.conf)

In theory DHCP would assign you an address that would have access to
this, and you would not have to share /usr to the entire planet.  I
don't know if I am overlooking something though.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49AD568B.10201>