From owner-freebsd-bugs@FreeBSD.ORG  Fri Jan 30 07:40:21 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 84C0616A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 30 Jan 2004 07:40:21 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2256A43D58
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 30 Jan 2004 07:40:17 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0UFeGFR076168	for <freebsd-bugs@freefall.freebsd.org>;
	Fri, 30 Jan 2004 07:40:16 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0UFeGXt076167;
	Fri, 30 Jan 2004 07:40:16 -0800 (PST)
	(envelope-from gnats)
Date: Fri, 30 Jan 2004 07:40:16 -0800 (PST)
Message-Id: <200401301540.i0UFeGXt076167@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Matthew West <mwest@uct.ac.za>
Subject: Re: misc/61774: nis security issue
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Matthew West <mwest@uct.ac.za>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2004 15:40:21 -0000

The following reply was made to PR misc/61774; it has been noted by GNATS.

From: Matthew West <mwest@uct.ac.za>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/61774: nis security issue
Date: Fri, 30 Jan 2004 17:34:05 +0200

 Using export(5)'s maproot option doesn't prevent a user on an NFS
 client from becoming root, and then using "su" to become another user
 and access that user's files.
 
 A solution to this problem is to use Kerberos tickets instead of Unix
 user credentials.  Unfortunately, FreeBSD does not currently have a
 Kerberised NFS implementation.
 
 You could try using something other than NFS to allow clients access
 to their files; likely candidates are Coda, AFS and SFS.
 
 SFS (http://www.fs.net/ - ports/security/sfs) is probably the easiest
 to get going with, as you don't need to have a pre-existing Kerberos
 infrastructure to use it.