Re: CERT, about NFS

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Paul 'Shag' Walmsley: "Re: CERT, about NFS"
• Previous message: Steinar Haug: "Re: CERT, about NFS"
• In reply to: der Mouse: "CERT, about NFS"
• Next in thread: Oliver Friedrichs: "Re: CERT, about NFS"

> >          1. Do *not* self-reference an NFS server in its own exports file.
> >          2. Do not allow the exports file to contain a "localhost" entry.
> 
> Anyone know why these are recommended?  As far as I can see, if your
> portmapper doesn't do proxy calls and/or you firewall out port 111, and
> you don't care about local attacks, neither C.1 nor C.2 will buy you
> anything further.  Am I missing something, or are these bits of advice
> simply there for people who don't do A and B?

	I recall an old bug (possibly in a CERT advisory)
about NFS and exporting to localhost.  I can't remember what
it is off the top of my head, and I'm not at school to look it up,
but I think it was something along the lines of if you mounted
a filesystem to localhost permissions were no longer checked for
some reason.

	Of course, if you don't worry about local attacks it's
not a problem, but many of us do.  Someone with easy access
to CERT advisories might want to look back a year or so
and see waht all the "localhost NFS bug" entailed.

• Next message: Paul 'Shag' Walmsley: "Re: CERT, about NFS"
• Previous message: Steinar Haug: "Re: CERT, about NFS"
• In reply to: der Mouse: "CERT, about NFS"
• Next in thread: Oliver Friedrichs: "Re: CERT, about NFS"