From owner-freebsd-security Thu Apr 2 03:17:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA23165 for freebsd-security-outgoing; Thu, 2 Apr 1998 03:17:19 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fang.cs.sunyit.edu (root@fang.cs.sunyit.edu [192.52.220.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA23155 for ; Thu, 2 Apr 1998 03:17:13 -0800 (PST) (envelope-from perlsta@cs.sunyit.edu) Received: from win95.local.sunyit.edu (A-T34.rh.sunyit.edu [150.156.210.241]) by fang.cs.sunyit.edu (8.8.5/8.7.3) with SMTP id GAA29890; Thu, 2 Apr 1998 06:17:59 GMT Message-ID: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu> From: "Alfred Perlstein" To: "Anton Voronin" , Subject: Re: Is there a safe way for filesystem export? Date: Thu, 2 Apr 1998 06:13:11 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk i'd suggest -maproot=nobody also, make whatever dir's readonly if possible and nosuid where applicable. -Alfred -----Original Message----- From: Anton Voronin To: freebsd-security@FreeBSD.ORG Date: Thursday, April 02, 1998 1:12 AM Subject: Is there a safe way for filesystem export? >Greetings, > >I have an application server working under 2.2-STABLE which also exports >filesystems for workstations which boot by means of netboot from their local >DOS-partition. They do not have local unix partitions, except swap, /tmp and >/var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD >diskette, he can mount a partition from the server which is exported for >read/write and not mapping root to nobody, and, say, place there a setuid file >that runs shell. > >Is there a possibility to authenticate NFS client not only by its IP-address >but by some more secure way? Or could it be a subject for further development >(if it is not limited by NFS principals)? > >-- >Anton Voronin | Ural Regional Center of FREEnet, > | Southern Ural University, Chelyabinsk, Russia >http://www.urc.ac.ru/~anton | Student / programmer / system administrator > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message