*BSD News Article 10228


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA7497 ; Fri, 22 Jan 93 11:45:45 EST
Newsgroups: comp.unix.bsd
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!uunet!gatech!news.byu.edu!ux1!fcom.cc.utah.edu!cs.weber.edu!terry
From: terry@cs.weber.edu (A Wizard of Earth C)
Subject: Re: PC-NFS and 386BSD
Message-ID: <1993Jan21.214922.9598@fcom.cc.utah.edu>
Sender: news@fcom.cc.utah.edu
Organization: Weber State University  (Ogden, UT)
References: <wmbfmk.727536467@rw8.urc.tue.nl> <CGD.93Jan20080244@eden.CS.Berkeley.EDU>
Date: Thu, 21 Jan 93 21:49:22 GMT
Lines: 52

In article <CGD.93Jan20080244@eden.CS.Berkeley.EDU> cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) writes:
>In article <wmbfmk.727536467@rw8.urc.tue.nl> wmbfmk@rw8.urc.tue.nl (Marc van Kempen) writes:
>>I have included '/usr -root=0' in my /etc/exports file, and have
>>rebooted several times since, so the file should have been read.
>>
>>Any clues?
>
>yes,
>
>you need to be invoking mountd as "mountd -n".
>
>man mountd for the reason; the answer's plain as day in there...

Well, almost:

	OPTIONS
	     -n   Do not check that the clients are  root  users.  Though
		  this  option makes things slightly less secure, it does
		  allow older versions (pre-3.0) of client NFS to work.


The *method* mountd uses to determine if the client is root is if it
is using a "secure port" (<1024) for the socket it is connecting from.
In a normal TCP/IP impementation, only a user with root credentials is
allowed to allocate a secure port... therefore anyone coming in on one
is assumed to be root.

In reality, this is a somewhat bogus "security" feature, since it is
a "vouchsafe" protection (if you're root there, you can be root here)
rather than some other protection (if your root here, you can be root
here; so if you don't have the password, beat it!).

An unpatched 386BSD can not use a reserved port to communicated with
the remote mountd.  Patches have been posted here, and archived in
all the normal places for 386BSD patches, but like I said, the
protection granted is somewhat a false sense of security.  The main
application would be if you had people on local machines who wrote
programs that acted like NFS clients for the localhost or some other
local machine.


					Terry Lambert
					terry@icarus.weber.edu
					terry_lambert@novell.com
---
Any opinions in this posting are my own and not those of my present
or previous employers.
-- 
-------------------------------------------------------------------------------
                                        "I have an 8 user poetic license" - me
 Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial
-------------------------------------------------------------------------------