Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!cam-news-hub1.bbnplanet.com!news.bbnplanet.com!news.mathworks.com!mvb.saic.com!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc Subject: Re: NFS with free bsd and linux Followup-To: comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.misc Date: 30 Apr 1997 05:18:36 GMT Organization: Pacifier BBS, Vancouver, Wa. ((360) 693-0325) Lines: 28 Message-ID: <DERAADT.97Apr29231836@zeus.pacifier.com> References: <33658E27.3EAD@them.com> <01bc5478$ca8a4800$f3e94dc2@hugo09.ticsoft.de> <5k5vgn$aio@monad.swb.de> NNTP-Posting-Host: zeus.theos.com In-reply-to: okir@monad.swb.de's message of 30 Apr 1997 01:16:39 +0200 Xref: euryale.cc.adfa.oz.au comp.os.linux.networking:77140 comp.unix.bsd.freebsd.misc:39985 comp.unix.bsd.misc:3119 In article <5k5vgn$aio@monad.swb.de> okir@monad.swb.de (Olaf Kirch) writes: Patrick M. Hausen (hausen@punkt.de) wrote: : Use a priviledged port for the mount - it's an option to mount(8), : something like -p or -P or similar. : Have a look at the manual page, I'm typing this from memory ;-) : : This is a - braindamaged, IMHO - way of Linux, Solaris an some : other Unices to "enhance security". You can see from the recent CERT advisory on BSD file handle guessing that it's not such a bad idea after all to make the server check the port number. If allowing your users to guess file handles _and_ present them to the server no questions asked qualifies at all, then it's for the `braindamaged' category. While I agree that minimal security is not all we should aim for, it's definitely better than none at all. Olaf, First of all, it was an SNI advisory, not a CERT advisory. And we've found many more NFS and RPC problems since then. It has been quite amusing and entertaining for us to fix them. -- This space not left unintentionally unblank. deraadt@openbsd.org www.OpenBSD.org -- We're fixing security problems so you can sleep at night. (If it wasn't so fascinating I might get some sleep myself...)