From owner-cvs-all@FreeBSD.ORG  Fri Jan 14 14:01:24 2005
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BFD7816A4CE; Fri, 14 Jan 2005 14:01:24 +0000 (GMT)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 69E8F43D31; Fri, 14 Jan 2005 14:01:24 +0000 (GMT)
	(envelope-from nectar@celabo.org)
Received: from lum.celabo.org (lum.celabo.org [10.0.1.107])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.celabo.org (Postfix) with ESMTP id 9E49B3E395F;
	Fri, 14 Jan 2005 08:01:23 -0600 (CST)
Received: by lum.celabo.org (Postfix, from userid 1001)
	id E35DA563476; Fri, 14 Jan 2005 08:01:22 -0600 (CST)
Date: Fri, 14 Jan 2005 08:01:22 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
Message-ID: <20050114140122.GC8477@lum.celabo.org>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	John-Mark Gurney <gurney_j@resnet.uoregon.edu>,
	Giorgos Keramidas <keramida@ceid.upatras.gr>,
	Ceri Davies <ceri@submonkey.net>, src-committers@FreeBSD.org,
	cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
References: <20050113153228.GG49329@submonkey.net>
	<200501131849.j0DInEEE029957@gw.catspoiler.org>
	<20050113185323.GI49329@submonkey.net>
	<20050113190755.GA24939@orion.daedalusnetworks.priv>
	<20050113193413.GL19624@funkthat.com> <20050113204154.GA829@gothmog.gr>
	<20050113205528.GA83599@hellblazer.celabo.org>
	<20050113215132.GM19624@funkthat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050113215132.GM19624@funkthat.com>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.6i
cc: Giorgos Keramidas <keramida@ceid.upatras.gr>
cc: cvs-src@FreeBSD.org
cc: Ceri Davies <ceri@submonkey.net>
cc: cvs-all@FreeBSD.org
cc: src-committers@FreeBSD.org
Subject: Re: cvs commit: src/etc/periodic/security 100.chksetuid
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2005 14:01:24 -0000

On Thu, Jan 13, 2005 at 01:51:32PM -0800, John-Mark Gurney wrote:
> Most nfs installs, you have control over the server, and are probably
> already running something similar on the server... If you are mounting
> "untrusted" shares, as you said, they should be mounted nosetuid or noexec,
> and if you really need it not mounted noexec, then we should provide an
> include of non-local fs's...

I was thinking of an active attacker on the network, in which case it
doesn't matter if you have control over the server or not.

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org