From owner-freebsd-security  Mon Nov  2 00:29:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA02772
          for freebsd-security-outgoing; Mon, 2 Nov 1998 00:29:59 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from burka.rdy.com (burka.rdy.com [205.149.163.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02764
          for <freebsd-security@FreeBSD.ORG>; Mon, 2 Nov 1998 00:29:58 -0800 (PST)
          (envelope-from dima@burka.rdy.com)
Received: (from dima@localhost)
	by burka.rdy.com (8.8.8/RDY&DVV) id AAA26460;
	Mon, 2 Nov 1998 00:29:48 -0800 (PST)
Message-Id: <199811020829.AAA26460@burka.rdy.com>
Subject: Re: SSH vsprintf patch. (You've been warned Mr. Glass)
In-Reply-To: <Pine.BSF.4.02.9811020320090.17054-100000@sasami.jurai.net> from "Matthew N. Dodd" at "Nov 2, 1998  3:23:16 am"
To: winter@jurai.net (Matthew N. Dodd)
Date: Mon, 2 Nov 1998 00:29:48 -0800 (PST)
Cc: dima@best.net, jkb@best.com, peter.jeremy@auss2.alcatel.com.au,
        freebsd-security@FreeBSD.ORG
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL45 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Matthew N. Dodd writes:
> On Mon, 2 Nov 1998, Dima Ruban wrote:
> > Heh. I see you run nfs on your machine. Now tell me, do you actually
> > allow weak NFS authentication, or do you actually somehow relie on a
> > "priviledged port" stuff?
> 
> I'm relying on mountd to disallow mount requests from all IPs but known
> good ones.

Don't forget about spoofing :-)

> Actually, thanks for pointing this out; sasami only uses NFS for some
> weird AMD tricks and should even be honoring any portmap connections from
> the world.  I've fixed this.  (Why can't we get tcpwrappers in tree and
> enable HBA for portmap by default?)

Use firewall.

> > I'm not arguing about whether it's good or bad to have priviledged
> > ports as they are now. All I'm saying is if packet came from a
> > priviledged port, then this packet was send by root. It's a totally
> > different question whether you can 100% believe this information.
> 
> >From a security standpoint, you have to assume that anything you hear is a
> lie.

There's a small difference between feeling reasonable secure and being
paranoid. You can always disconnect yourself completely from the network, you
know. But since you read this mail, I think it would be safe to make an
assumption that you're trying to be reasonable secure (hey, you kinda trust
sendmail, which runs as root etc etc etc etc)

> 
> -- 
> | Matthew N. Dodd  | 78 280Z | 75 164E | 84 245DL | FreeBSD/NetBSD/Sprite/VMS |
> | winter@jurai.net |      This Space For Rent     | ix86,sparc,m68k,pmax,vax  |
> | http://www.jurai.net/~winter | Are you k-rad elite enough for my webpage?   |
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message