misc/61774: nis security issue
Matthew West
mwest at uct.ac.za
Fri Jan 30 07:40:21 PST 2004
The following reply was made to PR misc/61774; it has been noted by GNATS.
From: Matthew West <mwest at uct.ac.za>
To: freebsd-gnats-submit at FreeBSD.org
Cc:
Subject: Re: misc/61774: nis security issue
Date: Fri, 30 Jan 2004 17:34:05 +0200
Using export(5)'s maproot option doesn't prevent a user on an NFS
client from becoming root, and then using "su" to become another user
and access that user's files.
A solution to this problem is to use Kerberos tickets instead of Unix
user credentials. Unfortunately, FreeBSD does not currently have a
Kerberised NFS implementation.
You could try using something other than NFS to allow clients access
to their files; likely candidates are Coda, AFS and SFS.
SFS (http://www.fs.net/ - ports/security/sfs) is probably the easiest
to get going with, as you don't need to have a pre-existing Kerberos
infrastructure to use it.
More information about the freebsd-bugs
mailing list