Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jun 1996 12:26:17 -0400 (EDT)
From:      Jeff Aitken <>
Subject:   Re: Re(2): I need help on this one - please help me track this guy down!
Message-ID:  <>
In-Reply-To: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer from "" at Jun 25, 96 03:02:08 pm

Next in thread | Raw E-Mail | Index | Archive | Help
> But what file transfer mechanism was used?  NFS maybe? 
> Personally, I like to mount all NFS filesystems "nosuid" - and likewise
> for all local systems exported by NFS (I don't normally export / or
> /usr).  Most users have no business creating setuid programs in their
> filespace, and such a policy would most likely have prevented this
> breach even if the setuid binary was created by some other means.

One thing you can do to help with this sort of problem is to map UID 0
to some other UID.  In our lab, we've got an AlphaStation which exports
several filesystems via NFS.  On a few administrative-type machines, we
map UID 0 to UID 0 (so that root on any of the administrative machines
can alter files as needed) but on the client machines (i.e., those
machines used primarily by lab patrons) UID 0 is mapped to 'nobody' or
somesuch.  Furthermore, only system administrators have accounts on the
servers; thus, even if someone breaks root on a client machine in the
lab, they can't install any sort of backdoor on the server.  If/when
such a compromise is detected, we simply reinstall the OS on the client
machine.  I've got my FreeBSD installs down to an hour or so by now :-)

Under Digital Unix, the syntax in /etc/exports goes something like this:

	-root=admin.machine.1 -root=admin.machine.2
	client.machine.1 client.machine.2

and so on.  I haven't set up this sort of thing under FreeBSD, but I
believe the -maproot option provides equivalent functionality.  See
exports(5) for more information.

None of this addresses the potential problem of address/hostname
spoofing (i.e., if someone can convince the NFS server that they are 
one of the administrative machines, you're in trouble), but it's better
than nothing.  

Jeff Aitken

Want to link to this message? Use this URL: <>