NFS problems

Pat Myrto (ole!rwing!pat@nwnexus.wa.com)
Sat, 19 Mar 94 11:54:31 PST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "utmp"
Previous message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
Next in thread: Stan Barber: "Re: NFS problems"

Bug Trackers:

I suspect this is old stuff to many folks out there, but it is new stuff
to me (as a result of being a victim of security through obscurity).
A site I am associated with had its filesystems mounted by some site
back East (we are on the West Coast) a few days ago.  One reason for
this is because all the subdirs are exported with the line of the form
(note the lack of 'access' options):  The operating system is SunOS
4.1.3, running on both Sun4 and Sun 4c platforms.  There is a firewall
router, but it apparantly did not block this breakin.  Apparantly they
could not write to much anything, but they apparantly tried to copy the
data, because the system became so loaded on could not even see typed
characters echo, for about 20 minutes.

/pathname  -root=host1:host2:host3

When I suggested changing it to the form of

/pathname -root=host1:host2:host3,access=host1:host2,host3

for better access control,  I was told this cannot be done because it
messes up access permissions for various users.

Is this a common problem forcing one to leave a hole like this open, or
is there a workaround/fix for this?   The root= access is needed for
the hosts 1-3, the desire is to make NO access to other hosts than
those specified.

I was also told that people could write a program to access NFS filesystems
using the Xwindows port (whatever porT THAT is), and defeat all the export
limitiations.  The person telling me this knows no details himself, "someone
told  him" apparantly, so that tidbit is next to useless to me.

I am trying to find out accurate info on this, and what is needed to
cause an export ONLY to host1-host3, but that export WITH root level
access to the named hosts.

Anybody know anything about this, and the way to deal with it?

Thanks...
-- 
pat@rwing  [If all fails, try:  rwing!pat@ole.cdac.com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Next message: Aleph One: "utmp"
Previous message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
Next in thread: Stan Barber: "Re: NFS problems"