*BSD News Article 94751


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!news.mathworks.com!mvb.saic.com!pacifier!deraadt
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc
Subject: Re: NFS with free bsd and linux
Followup-To: comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc
Date: 30 Apr 1997 05:18:36 GMT
Organization: Pacifier BBS, Vancouver, Wa.  ((360) 693-0325)
Lines: 28
Message-ID: <DERAADT.97Apr29231836@zeus.pacifier.com>
References: <33658E27.3EAD@them.com> <01bc5478$ca8a4800$f3e94dc2@hugo09.ticsoft.de>
	<5k5vgn$aio@monad.swb.de>
NNTP-Posting-Host: zeus.theos.com
In-reply-to: okir@monad.swb.de's message of 30 Apr 1997 01:16:39 +0200
Xref: euryale.cc.adfa.oz.au comp.os.linux.networking:77140 comp.unix.bsd.freebsd.misc:39985 comp.unix.bsd.misc:3119


In article <5k5vgn$aio@monad.swb.de> okir@monad.swb.de (Olaf Kirch) writes:
   Patrick M. Hausen (hausen@punkt.de) wrote:
   : Use a priviledged port for the mount - it's an option to mount(8),
   : something like -p or -P or similar.
   : Have a look at the manual page, I'm typing this from memory ;-)
   : 
   : This is a - braindamaged, IMHO - way of Linux, Solaris an some
   : other Unices to "enhance security".

   You can see from the recent CERT advisory on BSD file handle guessing
   that it's not such a bad idea after all to make the server check the
   port number. If allowing your users to guess file handles _and_ present
   them to the server no questions asked qualifies at all, then it's
   for the `braindamaged' category.

   While I agree that minimal security is not all we should aim for, it's
   definitely better than none at all.

Olaf,

First of all, it was an SNI advisory, not a CERT advisory.  And we've
found many more NFS and RPC problems since then.  It has been quite
amusing and entertaining for us to fix them.

--
This space not left unintentionally unblank.		deraadt@openbsd.org
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.
(If it wasn't so fascinating I might get some sleep myself...)