From owner-freebsd-security  Thu Apr  2 04:03:11 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA28240
          for freebsd-security-outgoing; Thu, 2 Apr 1998 04:03:11 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from newserv.urc.ac.ru (newserv.urc.ac.ru [193.233.85.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA28234
          for <freebsd-security@freebsd.org>; Thu, 2 Apr 1998 04:03:03 -0800 (PST)
          (envelope-from anton@urc.ac.ru)
Received: from urc.ac.ru (Belle.urc.ac.ru [193.233.85.55])
	by newserv.urc.ac.ru (8.8.8/8.8.8) with ESMTP id SAA00467;
	Thu, 2 Apr 1998 18:01:42 +0600 (ESS)
	(envelope-from anton@urc.ac.ru)
Message-ID: <35237E24.CF00B4D5@urc.ac.ru>
Date: Thu, 02 Apr 1998 18:01:40 +0600
From: Anton Voronin <anton@urc.ac.ru>
Organization: URC FREEnet
X-Mailer: Mozilla 4.04 [ru] (X11; I; FreeBSD 2.2.5-STABLE i386)
MIME-Version: 1.0
To: Alfred Perlstein <perlsta@cs.sunyit.edu>, freebsd-security@FreeBSD.ORG
Subject: Re: Is there a safe way for filesystem export?
References: <00c401bd5e28$5346e5e0$0600a8c0@win95.local.sunyit.edu>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

Alfred Perlstein wrote:
> 
> i'd suggest -maproot=nobody
> also, make whatever dir's readonly if possible and nosuid where applicable.
> 
> -Alfred
> 
Unfortunately, mapping root to nobody is impossible while xdm writes into
.Xauthority in users home directories and dirs like authdir or xkb.compiled.
I'm affraid this topic is out of this mailing list, but would appreciate any
advise on how to avoid the need of mapping root to root.


> -----Original Message-----
> From: Anton Voronin ?anton@urc.ac.ru?
> To: freebsd-security@FreeBSD.ORG ?freebsd-security@FreeBSD.ORG?
> Date: Thursday, April 02, 1998 1:12 AM
> Subject: Is there a safe way for filesystem export?
> 
> ?Greetings,
> ?
> ?I have an application server working under 2.2-STABLE which also exports
> ?filesystems for workstations which boot by means of netboot from their
> local
> ?DOS-partition. They do not have local unix partitions, except swap, /tmp
> and
> ?/var/tmp  partitions. If the user simply cracks BIOS and boots from FreeBSD
> ?diskette, he can mount a partition from the server which is exported for
> ?read/write and not mapping root to nobody, and, say, place there a setuid
> file
> ?that runs shell.
> ?
> ?Is there a possibility to authenticate NFS client not only by its
> IP-address
> ?but by some more secure way? Or could it be a subject for further
> development
> ?(if it is not limited by NFS principals)?
> ?

-- 
Anton Voronin                | Ural Regional Center of FREEnet,
<anton@urc.ac.ru>            | Southern Ural University, Chelyabinsk, Russia
http://www.urc.ac.ru/~anton  | Student / programmer / system administrator

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message