Date: Thu, 2 Apr 1998 06:13:11 -0500 From: "Alfred Perlstein" <perlsta@cs.sunyit.edu> To: "Anton Voronin" <anton@urc.ac.ru>, <freebsd-security@FreeBSD.ORG> Subject: Re: Is there a safe way for filesystem export? Message-ID: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu>
next in thread | raw e-mail | index | archive | help
i'd suggest -maproot=nobody also, make whatever dir's readonly if possible and nosuid where applicable. -Alfred -----Original Message----- From: Anton Voronin <anton@urc.ac.ru> To: freebsd-security@FreeBSD.ORG <freebsd-security@FreeBSD.ORG> Date: Thursday, April 02, 1998 1:12 AM Subject: Is there a safe way for filesystem export? >Greetings, > >I have an application server working under 2.2-STABLE which also exports >filesystems for workstations which boot by means of netboot from their local >DOS-partition. They do not have local unix partitions, except swap, /tmp and >/var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD >diskette, he can mount a partition from the server which is exported for >read/write and not mapping root to nobody, and, say, place there a setuid file >that runs shell. > >Is there a possibility to authenticate NFS client not only by its IP-address >but by some more secure way? Or could it be a subject for further development >(if it is not limited by NFS principals)? > >-- >Anton Voronin | Ural Regional Center of FREEnet, ><anton@urc.ac.ru> | Southern Ural University, Chelyabinsk, Russia >http://www.urc.ac.ru/~anton | Student / programmer / system administrator > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00c401bd5e28$5346e5e0$0600a8c0>