Subject: Re: NFS-exports and root-account on "foreign" clients
To: Marcel Meyer <firstname.lastname@example.org>
From: Ignatios Souvatzis <email@example.com>
Date: 01/09/2001 11:01:39
Content-Type: text/plain; charset=us-ascii
On Mon, Jan 08, 2001 at 11:42:55PM +0100, Marcel Meyer wrote:
> possibly a newbie question. :-) We export many files (homes, configs etc)
> with NFS from our server. But there are some computers outside of our
> internal network where "other persons *g*" are root and they import those
> files with the same rights too.
Uhm, unless you specifically export root as root, (with the -maproot option,
see "man exports") it is exported as nobody:nogroup (-2:-2, numerically).
> Problem: With root-rights it is possible to write a script or copy a
> standard binary to a home-dir and set the +s bit (with root as owner).
> Now, these scripts can be executed on our "normal" clients from a standard
> user. That's not what we want :-).
Well, on the untrusted client machines don't export your root as client root
on any of the exported filesystems.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----