*BSD News Article 68299


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!solace!nntp.uio.no!news.cais.net!news.mathworks.com!newsfeed.internetmci.com!in1.uu.net!news.artisoft.com!usenet
From: Terry Lambert <terry@lambert.org>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Can FreeBSD mount Netbeui volumes?
Date: Sat, 11 May 1996 14:58:52 -0700
Organization: Me
Lines: 42
Message-ID: <31950D9C.15C6228A@lambert.org>
References: <postmaster-0905961001120001@206.65.200.5>
	  <319404CD.33E93F68@lambert.org> <4n1urr$rjj@uriah.heep.sax.de>
NNTP-Posting-Host: hecate.artisoft.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 2.01 (X11; I; Linux 1.1.76 i486)

J Wunsch wrote:
] 
] Terry Lambert <terry@lambert.org> wrote:
] 
] > Linux supports mounting remote shares as a file system as well
] > -- with system level security, which is a big, big security
] > hole. FreeBSD doesn't , not because it isn't possible, but
] > because of the security considerations.
] 
] To be fair: And because nobody got round to implement it.

I ported the smbclient code as an FS a while ago.  It's almost
trivial -- mostly grunt work and interface pounding, really.

But the security model in BSD (and UNIX, in general) needs to
change for it to be practical for anything but single user
machines not offering authentication services (telnet/rlogin/ftp/
http/gopher/nfs/etc.).
 
] However, the security considerations are to be taken serious.
] I could however think of a model where an SMB file system can
] be used to access all the services marked `public'.

You could, but it redefines public from meaning "accessable to
any authenticated user" to meaning "accessable to any user,
authenticated or not".

Because the UNIX box would authenticate once and could
credential gateway by proxy any user from the internet or
dialup lines onto the thing.  Which violates the credential
model in SMB (which doesn't support the concept "proxy").

Any time you start permitting proxy when "emulating" a DOS
client to a network server (LANMan, NetWare, ATP, etc.), you
break security.


                                        Terry Lambert
                                        terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.