Subject: security/6594: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 12/15/1998 15:54:09
>Synopsis: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)
>Responsible: gnats-admin (GNATS administrator)
>Arrival-Date: Tue Dec 15 13:05:01 1998
>Originator: Greg A. Woods
Planix, Inc.; Toronto, Ontario; Canada
$NetBSD: mountd.c,v 1.51 1998/11/07 18:31:36 christos Exp $
$NetBSD: exports.5,v 1.14 1998/10/07 14:52:30 christos Exp $
master.passwd as of Mon Nov 16 08:02:37 EST 1998
I don't know if this is really a sw-bug or a doc-bug, but
there's a misleading discrepancy in the default system
configuration. The correct category might be "bin", though
since it has something to do with security and the default
/etc/master.passwd I've initially submitted it as "security".
The default NFS mapping for the unprivileged account is to
uid=-2, gid=-2 yet the default master.passwd file lists "nobody"
as uid=32767, gid=9999".
This is not critical since it only means remote NFS clients may
have their root user accesses mapped to an ID that's not listed
in the server's password file, but if anyone's expecting the
default mapping to be to "nobody" they'll be misled until they
realize that "nobody" isn't "-2:-2" as it always was on SunOS! ;-)
see exports(5), src/usr.sbin/mountd/mountd.c, and src/etc/master.passwd
either change mountd to use "32767:9999" as the default
credentials, or change master.passwd to assign "-2:-2" as the
user/group-id for "nobody".
also add a comment to mountd.c and exports.5 to remind
developers that tradition dictates that these credentials be
assigned to the user "nobody".