Bill Allombert <[EMAIL PROTECTED]> wrote: >> ... any machines that share user files via writable NFS mounts are >> vulnerable. (Are vulnerable if you mount an NFS filesystem that is >> writable to others.) > > No that is not true. You need to use root_squash for any semblance of > security anyway. In that case you can also use squash_gids to prevent > the attack.
Note that root_squash is default, squash_gids is not; there is no recommendation to squash_gids staff. My machines do not know about squash_gids (in "man exports", package nfs-kernel-server, versions 1.0-2woody3 or 1.0.6-3.1); I wonder if non-Debian OSs know. (The issue of "real" users in group staff also remains.) > ... I can design a [insecure] system ... Will that make it a Debian bug? It is your bug if you make it insecure in the default, or in a common, configuration. It is your bug if you do not warn against the insecure settings. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
