Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP id AA7497 ; Fri, 22 Jan 93 11:45:45 EST Newsgroups: comp.unix.bsd Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!uunet!gatech!news.byu.edu!ux1!fcom.cc.utah.edu!cs.weber.edu!terry From: terry@cs.weber.edu (A Wizard of Earth C) Subject: Re: PC-NFS and 386BSD Message-ID: <1993Jan21.214922.9598@fcom.cc.utah.edu> Sender: news@fcom.cc.utah.edu Organization: Weber State University (Ogden, UT) References: <wmbfmk.727536467@rw8.urc.tue.nl> <CGD.93Jan20080244@eden.CS.Berkeley.EDU> Date: Thu, 21 Jan 93 21:49:22 GMT Lines: 52 In article <CGD.93Jan20080244@eden.CS.Berkeley.EDU> cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) writes: >In article <wmbfmk.727536467@rw8.urc.tue.nl> wmbfmk@rw8.urc.tue.nl (Marc van Kempen) writes: >>I have included '/usr -root=0' in my /etc/exports file, and have >>rebooted several times since, so the file should have been read. >> >>Any clues? > >yes, > >you need to be invoking mountd as "mountd -n". > >man mountd for the reason; the answer's plain as day in there... Well, almost: OPTIONS -n Do not check that the clients are root users. Though this option makes things slightly less secure, it does allow older versions (pre-3.0) of client NFS to work. The *method* mountd uses to determine if the client is root is if it is using a "secure port" (<1024) for the socket it is connecting from. In a normal TCP/IP impementation, only a user with root credentials is allowed to allocate a secure port... therefore anyone coming in on one is assumed to be root. In reality, this is a somewhat bogus "security" feature, since it is a "vouchsafe" protection (if you're root there, you can be root here) rather than some other protection (if your root here, you can be root here; so if you don't have the password, beat it!). An unpatched 386BSD can not use a reserved port to communicated with the remote mountd. Patches have been posted here, and archived in all the normal places for 386BSD patches, but like I said, the protection granted is somewhat a false sense of security. The main application would be if you had people on local machines who wrote programs that acted like NFS clients for the localhost or some other local machine. Terry Lambert terry@icarus.weber.edu terry_lambert@novell.com --- Any opinions in this posting are my own and not those of my present or previous employers. -- ------------------------------------------------------------------------------- "I have an 8 user poetic license" - me Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial -------------------------------------------------------------------------------