Date: Thu, 02 Apr 1998 18:01:40 +0600 From: Anton Voronin <anton@urc.ac.ru> To: Alfred Perlstein <perlsta@cs.sunyit.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Is there a safe way for filesystem export? Message-ID: <35237E24.CF00B4D5@urc.ac.ru> References: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Alfred Perlstein wrote: > > i'd suggest -maproot=nobody > also, make whatever dir's readonly if possible and nosuid where applicable. > > -Alfred > Unfortunately, mapping root to nobody is impossible while xdm writes into .Xauthority in users home directories and dirs like authdir or xkb.compiled. I'm affraid this topic is out of this mailing list, but would appreciate any advise on how to avoid the need of mapping root to root. > -----Original Message----- > From: Anton Voronin ?anton@urc.ac.ru? > To: freebsd-security@FreeBSD.ORG ?freebsd-security@FreeBSD.ORG? > Date: Thursday, April 02, 1998 1:12 AM > Subject: Is there a safe way for filesystem export? > > ?Greetings, > ? > ?I have an application server working under 2.2-STABLE which also exports > ?filesystems for workstations which boot by means of netboot from their > local > ?DOS-partition. They do not have local unix partitions, except swap, /tmp > and > ?/var/tmp partitions. If the user simply cracks BIOS and boots from FreeBSD > ?diskette, he can mount a partition from the server which is exported for > ?read/write and not mapping root to nobody, and, say, place there a setuid > file > ?that runs shell. > ? > ?Is there a possibility to authenticate NFS client not only by its > IP-address > ?but by some more secure way? Or could it be a subject for further > development > ?(if it is not limited by NFS principals)? > ? -- Anton Voronin | Ural Regional Center of FREEnet, <anton@urc.ac.ru> | Southern Ural University, Chelyabinsk, Russia http://www.urc.ac.ru/~anton | Student / programmer / system administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35237E24.CF00B4D5>