[Prev][Next][Index]

Re: Re[4]: nfs-mounting kelim.jct.ac.il



In message <15324F3F1E@hagiga.jct.ac.il> you write:
|As a matter of fact, I am :-)
|I don't care about security in the directory tree that I export. It's 
|easier that way, 'cause I don't have to check the permissions of all 
|files and they are all public anyway.

That's not comforting - if someone manages to put a trojan hours on
your disk then I'll have it in my installation.  Besides - there is a
theoretical chance that if someone can write to your disk then he can
break to your system (or just use it as another free space :)

Please start caring - export the filesystem read-only with no root
permissions over NFS, root id and wheel-group (gid 0) mapped to nobody
(-2?).  Read-only permissions to all files and read+execute permission
to all directories won't hurt either.  Also make all files belong to a
uid/gid which are not used by anyone and any other files on your
system.

(not that I see a way to exploit your good service - HUJI seems to be
out of this game anyway).

Cheers,

--Amos

--Amos Shapira                      | "Of course Australia was marked for
133 Shlomo Ben-Yosef st.            |  glory, for its people had been chosen
Jerusalem 93 805                    |  by the finest judges in England."
ISRAEL          amoss@cs.huji.ac.il |                     -- Anonymous