From owner-freebsd-security  Mon Nov  2 00:23:29 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA01525
          for freebsd-security-outgoing; Mon, 2 Nov 1998 00:23:29 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sasami.jurai.net (sasami.jurai.net [207.153.65.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA01510
          for <freebsd-security@FreeBSD.ORG>; Mon, 2 Nov 1998 00:23:27 -0800 (PST)
          (envelope-from winter@jurai.net)
Received: from localhost (winter@localhost)
	by sasami.jurai.net (8.8.8/8.8.7) with SMTP id DAA26120;
	Mon, 2 Nov 1998 03:23:16 -0500 (EST)
Date: Mon, 2 Nov 1998 03:23:16 -0500 (EST)
From: "Matthew N. Dodd" <winter@jurai.net>
To: Dima Ruban <dima@best.net>
cc: jkb@best.com, peter.jeremy@auss2.alcatel.com.au,
        freebsd-security@FreeBSD.ORG
Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass)
In-Reply-To: <199811020800.AAA26243@burka.rdy.com>
Message-ID: <Pine.BSF.4.02.9811020320090.17054-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 2 Nov 1998, Dima Ruban wrote:
> Heh. I see you run nfs on your machine. Now tell me, do you actually
> allow weak NFS authentication, or do you actually somehow relie on a
> "priviledged port" stuff?

I'm relying on mountd to disallow mount requests from all IPs but known
good ones.

Actually, thanks for pointing this out; sasami only uses NFS for some
weird AMD tricks and should even be honoring any portmap connections from
the world.  I've fixed this.  (Why can't we get tcpwrappers in tree and
enable HBA for portmap by default?)

> I'm not arguing about whether it's good or bad to have priviledged
> ports as they are now. All I'm saying is if packet came from a
> priviledged port, then this packet was send by root. It's a totally
> different question whether you can 100% believe this information.

>From a security standpoint, you have to assume that anything you hear is a
lie.

-- 
| Matthew N. Dodd  | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS |
| winter@jurai.net |      This Space For Rent     | ix86,sparc,m68k,pmax,vax  |
| http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage?   |


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message