Date: Tue, 22 Jul 1997 07:34:59 +0200 From: Andreas Klemm <andreas@klemm.gtn.com> To: Warner Losh <imp@rover.village.org> Cc: Terry Lambert <terry@lambert.org>, sthaug@nethelp.no, hackers@FreeBSD.ORG Subject: Re: sendmail complains about being unable to write his pid file Message-ID: <19970722073459.03298@gtn.com> In-Reply-To: <E0wqQHZ-0002PY-00@rover.village.org>; from Warner Losh on Mon, Jul 21, 1997 at 03:46:17PM -0600 References: <199707212106.OAA11898@phaeton.artisoft.com> <E0wqQHZ-0002PY-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 21, 1997 at 03:46:17PM -0600, Warner Losh wrote:
> In message <199707212106.OAA11898@phaeton.artisoft.com> Terry Lambert writes:
> : Can you please explain how root ownership makes something more secure?
>
>
> Files owned by root are harder to change via NFS than files owned by
> bin. root access n NFS is generally blocked, but no so with other,
> non-zero uids.
Right ! I also experienced that fact once again in detail, when
teaching a NFS course in our company.
You have to give root access explicitely with the export flag
root=client_machine_1:...:client_machine_n
When adding hosts to /etc/hosts.equiv on the server you say your
NFS client accounts are the same as on your local machine, in
some computing environment it's necessary to do so ...
Figure out what happens, if a client machine decides to compromise the
server by making bin a login account ;-) Especially, if the client
was given ,rw' or ,access' rights.
I'd also recommend strongly, to change permissions to root root.wheel
where possible !
--
Andreas Klemm | klemm.gtn.com - powered by
Symmetric MultiProcessor FreeBSD
http://www.freebsd.org/~fsmp/SMP/SMP.html
http://www.freebsd.org/~fsmp/SMP/benches.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970722073459.03298>