Jim Reid <jim@mpn.cp.philips.com> writes:

> [The default should of course be to have whatever
>security features - such as they are - enabled. That way someone has
>to do something to turn off security checking rather than the other
>way round.]

The counter-argument is, of course, that since in many environments
these options provide no added security, the defaults should be to
disable the checks, so that someone who thinks they're obtaining
``security'' has at least read a manpage and knows how much security
they're really getting.


>While I'm here, maybe someone should be - already is? -
>looking at some way of reducing the exposure and/or guessability of
>filehandles...

You mean, better than the fsirand in the tree?  Not that I know of.

Kerberos authentication on mountd requests for file handles sort-of
work, if you assume a single user per workstation. The other common
alternative is `secure RPC', encrypting the RPCs for each NFS
operation, which gets very expensive very quickly.