Date: Mon, 26 Aug 1996 09:39:44 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> To: pst@shockwave.com (Paul Traina) Cc: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-etc@freefall.freebsd.org, cvs-usrsbin@freefall.freebsd.org Subject: Re: cvs commit: src/etc/mtree BSD.var.dist src/usr.sbin/rwhod rwhod.c Message-ID: <199608261639.JAA18817@GndRsh.aac.dev.com> In-Reply-To: <199608261538.IAA12326@precipice.shockwave.com> from Paul Traina at "Aug 26, 96 08:38:44 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Introduce NFS and you eliminate security anyway.
^^^^^^^^^ pretty strong word, you may decrease it,
but you don't eliminate it. I'm not so worried about hackers as I am about
stupid things done by clients (people) on NFS clients (machines) that
otherwise have reasonably restricted access to the server.
> It's actually 775 daemon.daemon I believe.
That I can live with.
> If you have a better suggestion, I'm all ears. It's currently a compromise.
Run as sgid daemon perhaps? And make the /var/rwho directory mode 575.
> From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
> Subject: Re: cvs commit: src/etc/mtree BSD.var.dist src/usr.sbin/rwhod rwhod
> >>.c
> > pst 96/08/25 14:37:12
> >
> > Modified: etc/mtree BSD.var.dist
> > usr.sbin/rwhod rwhod.c
> > Log:
> > Fix buffer overrun, and run as nobody
>
> Hummm... I take it that you set /var/rwho nobody:whoever mode 755, which
> now means /var/rwho is open for writting into if /var is NFS exported...
> and all the datafiles will be smashable by other NFS hosts :-(.
>
>
> --
> Rod Grimes rgrimes@gndrsh.aac.dev.com
> Accurate Automation Company Reliable computers for FreeBSD
>
--
Rod Grimes rgrimes@gndrsh.aac.dev.com
Accurate Automation Company Reliable computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608261639.JAA18817>