Bill, >> Though nfs-user-server may "know" about the squash_gids option, >> nfs-kernel-server does not. > > You can emulate squash_gids using the ugidd daemon. Just map staff to > nogroup. > > In fact, most of your problems can be solved with use of ugidd, and this > is not Debian specific.
Using squash_gids or ugidd would prevent an attacker from creating a setgid-staff object, thus keeping things safe while there are no users in group staff. Neither squash_gids nor ugidd would prevent scribbling over the .bashrc file of, or otherwise trojan, a user in group staff. I beleive that group staff is pretty useless until you put some users into that group. Using squash_gids or ugidd we can keep it safe in that default but useless state; we can not make it safe in the useful state. Would you agree with the above? (Then we should think about groups disk and tty also.) (The problem is not Debian-specific. Only the policy is; am not sure if other distibutions even have a policy.) Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
