Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!news.caldera.com!enews.sgi.com!newshub1.home.com!newshub2.home.com!news.home.com!howland.erols.net!news.maxwell.syr.edu!news-was.dfn.de!news-fra1.dfn.de!news-koe1.dfn.de!main.Germany.EU.net!Hanover.Germany.EU.net!Hamburg.Germany.EU.net!news.netuse.de!gtnduss1.du.gtn.com!www.punkt.de!not-for-mail From: "Patrick M. Hausen" <hausen@punkt.de> Newsgroups: comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc Subject: Re: NFS with free bsd and linux Date: 30 Apr 1997 11:30:16 GMT Organization: WEB Internet Services Lines: 33 Message-ID: <01bc5559$fecf9ac0$f3e94dc2@hugo09.ticsoft.de> References: <33658E27.3EAD@them.com> <01bc5478$ca8a4800$f3e94dc2@hugo09.ticsoft.de> <5k5vgn$aio@monad.swb.de> NNTP-Posting-Host: hugo09.ticsoft.de X-Newsreader: Microsoft Internet News 4.70.1155 Xref: euryale.cc.adfa.oz.au comp.os.linux.networking:77174 comp.unix.bsd.freebsd.misc:40026 comp.unix.bsd.misc:3120 Olaf Kirch <okir@monad.swb.de> wrote in <5k5vgn$aio@monad.swb.de>... > Patrick M. Hausen (hausen@punkt.de) wrote: > : Use a priviledged port for the mount - it's an option to mount(8), > : something like -p or -P or similar. > : Have a look at the manual page, I'm typing this from memory ;-) > : > : This is a - braindamaged, IMHO - way of Linux, Solaris an some > : other Unices to "enhance security". > > You can see from the recent CERT advisory on BSD file handle guessing > that it's not such a bad idea after all to make the server check the > port number. If allowing your users to guess file handles _and_ present > them to the server no questions asked qualifies at all, then it's > for the `braindamaged' category. > > While I agree that minimal security is not all we should aim for, it's > definitely better than none at all. But to check the port on the server side doesn't prevent anyone from anything. _Everyone_ can connect his/her own workstation to the cable and try to guess filehandles from a priviledged port. Everyone can run arbitrary software on a PC. Forcing the client to use a priviledged port does't enhance security - it just pretends to do so and fools users and administrators. Patrick