From owner-freebsd-hackers  Tue Jul 22 06:52:57 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id GAA29112
          for hackers-outgoing; Tue, 22 Jul 1997 06:52:57 -0700 (PDT)
Received: from news1.gtn.com (news1.gtn.com [194.77.0.15])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA29101
          for <hackers@FreeBSD.ORG>; Tue, 22 Jul 1997 06:52:49 -0700 (PDT)
Received: (from uucp@localhost) by news1.gtn.com (8.7.2/8.7.2) with UUCP id PAA29436; Tue, 22 Jul 1997 15:30:24 +0200 (MET DST)
Received: (from andreas@localhost)
	by klemm.gtn.com (8.8.6/8.8.6) id HAA16792;
	Tue, 22 Jul 1997 07:34:59 +0200 (CEST)
Message-ID: <19970722073459.03298@gtn.com>
Date: Tue, 22 Jul 1997 07:34:59 +0200
From: Andreas Klemm <andreas@klemm.gtn.com>
To: Warner Losh <imp@rover.village.org>
Cc: Terry Lambert <terry@lambert.org>, sthaug@nethelp.no, hackers@FreeBSD.ORG
Subject: Re: sendmail complains about being unable to write his pid file
References: <199707212106.OAA11898@phaeton.artisoft.com> <E0wqQHZ-0002PY-00@rover.village.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.79
In-Reply-To: <E0wqQHZ-0002PY-00@rover.village.org>; from Warner Losh on Mon, Jul 21, 1997 at 03:46:17PM -0600
X-Disclaimer: A free society is one where it is safe to be unpopular
X-Operating-System: FreeBSD 3.0-CURRENT SMP
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, Jul 21, 1997 at 03:46:17PM -0600, Warner Losh wrote:
> In message <199707212106.OAA11898@phaeton.artisoft.com> Terry Lambert writes:
> : Can you please explain how root ownership makes something more secure?
> 
> 
> Files owned by root are harder to change via NFS than files owned by
> bin.  root access n NFS is generally blocked, but no so with other,
> non-zero uids.

Right ! I also experienced that fact once again in detail, when
teaching a NFS course in our company.

You have to give root access explicitely with the export flag
root=client_machine_1:...:client_machine_n

When adding hosts to /etc/hosts.equiv on the server you say your
NFS client accounts are the same as on your local machine, in
some computing environment it's necessary to do so ...

Figure out what happens, if a client machine decides to compromise the
server by making bin a login account ;-) Especially, if the client
was given ,rw' or ,access' rights.

I'd also recommend strongly, to change permissions to root root.wheel
where possible !

-- 
Andreas Klemm | klemm.gtn.com - powered by
                    Symmetric MultiProcessor FreeBSD
                       http://www.freebsd.org/~fsmp/SMP/SMP.html
                          http://www.freebsd.org/~fsmp/SMP/benches.html