On Thu, Mar 17, 2005 at 07:25:56AM +1100, [EMAIL PROTECTED] wrote: > Bill Allombert <[EMAIL PROTECTED]> wrote: > > >> ... any machines that share user files via writable NFS mounts are > >> vulnerable. (Are vulnerable if you mount an NFS filesystem that is > >> writable to others.) > > > > No that is not true. You need to use root_squash for any semblance of > > security anyway. In that case you can also use squash_gids to prevent > > the attack. > > Note that root_squash is default, squash_gids is not; there is no
Then the solution is to make squash_gids staff the default. > recommendation to squash_gids staff. My machines do not know about > squash_gids (in "man exports", package nfs-kernel-server, versions > 1.0-2woody3 or 1.0.6-3.1); At least woody nfs-user-server has it. > I wonder if non-Debian OSs know. How is it relevant ? this is a server-side setting. > (The issue of "real" users in group staff also remains.) There is no users in staff by default. Member of the group staff normally has root access as well. The goal of group staff is to protect against errors, not mischief. Ho, and if you did not blacklist me I would be in a better mood to discuss with you, thanks. Please read the bug log for other answers you might have missed. Cheers, -- Bill. <[EMAIL PROTECTED]> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
