>> ultrix 4.x also allows nonroot users to mount NFS filesystems, if I >> remember right. Shiver... > Yep. However, it isn't as bad as you might think, as Ultrix forces > all non-root mounts to be nosuid,nodev, which makes 'em mostly > harmless (if someone knows otherwise, I'd like to hear about it). First thing that comes to mind is to ensure that it does correct checks for the mounted-over directory. Preferably, the user doing the mount must own it; it seems reasonable at first glance to merely require the user to be able to write it, but this lets anyone mount over /tmp (and possibly /var/spool/mail, depending on how Ultrix has that set up). Given the number of programs we've seen which have races with respect to opening files in /tmp, having /tmp utterly under the control of an arbitrary user seems pretty dangerous to me. Even with nosuid,nodev, though, there may still be dangers, since arbitrary ownership and mode bits may be presented, and thus other programs may be fooled into thinking something has been approved by (say) root when it actually hasn't. I have no specific examples in mind, but it would not surprise me a bit if some programs relaxed certain checks when some config file is owned by root, on the theory that if root did it, there's no point in checking further. (Of course, this would really be a bug in the program, not in Ultrix mount....) I think I would prefer something like what I've seen somewhere else, with cd-roms I think: simply make _everything_ on the mounted filesystem come out owned by the user who did the mount. Then you can ignore the setuid-bit issue entirely (though you still need nodev, of course). I'm not sure what I'd do about creates by other users; of course, with cd-roms this isn't an issue, but with NFS it is.... der Mouse mouse@collatz.mcrcim.mcgill.edu