Package: nfs-kernel-server
Version: 1:1.0.10-4
Severity: important
The nfs-kernel-server seems to silently ignore the map_daemon option. I
don't know whether uid/gid mapping via ugidd is a feature of
nfs-kernel-server or not, i.e. whether map_daemon should work at all,
however silently ignoring the option has (maybe mild, feel free to
adjust the proposed severity) security implications:
An administrator may want to use uid/gid mapping for access control
(which makes sense in a LAN environment where root is trusted on client
computers) and is switching from nfs-user-server to nfs-kernel-server
(or is assuming that map_daemon is supported by nfs-kernel-server for
any other reason). Instead of reporting an error and refusing to run,
the kernel server starts and exports without uid/gid mapping, which
leads to (possibly wildly) incorrect access restrictions on the clients.
Suggestion for resolution: When the server finds map_daemon in
/etc/exports, it either should honour it or it should refuse to run.
Best regards,
Thiemo
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages nfs-kernel-server depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description
library
ii libgssap 0.10-4 A mechanism-switch gssapi
library
ii libkrb53 1.4.4-4 MIT Kerberos runtime libraries
ii libnfsid 0.18-0 An nfs idmapping library
ii librpcse 0.14-2 allows secure rpc
communication us
ii lsb-base 3.1-22 Linux Standard Base 3.1
init scrip
ii nfs-comm 1:1.0.10-4 NFS support files common to
client
ii ucf 2.0017 Update Configuration File:
preserv
nfs-kernel-server recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
