From owner-freebsd-questions  Tue Nov 26 15:05:42 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA06318
          for questions-outgoing; Tue, 26 Nov 1996 15:05:42 -0800 (PST)
Received: from soso.eecs.umich.edu (soso.eecs.umich.edu [141.212.99.9])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA06311
          for <questions@freebsd.org>; Tue, 26 Nov 1996 15:05:37 -0800 (PST)
Received: from localhost (jadaan@localhost) by soso.eecs.umich.edu (8.8.2/8.8.2) with SMTP id SAA12735; Tue, 26 Nov 1996 18:03:12 -0500 (EST)
Date: Tue, 26 Nov 1996 18:03:12 -0500 (EST)
From: Khaleel Al-Jadaan <jadaan@eecs.umich.edu>
To: Alain FAUCONNET <af@biomath.jussieu.fr>
cc: questions@freebsd.org
Subject: Re: NFS Client problems
In-Reply-To: <199611262113.AA00455@iaka.biomath.jussieu.fr>
Message-ID: <Pine.GSO.3.95.961126175756.12614B-100000@soso.eecs.umich.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


 Alain, you are correct, mount(8) is reserved for root, I thought it was
the default that the any user can mount a file system. I am kind of toying
with freebsd to evaluate it and pick between it and Linux to install on
34 other machines, so far, freebsd is ahead. I guess limiting mounting
power to root keeps things under control and avoids opening that major
security window you mentioned.

 KJ


                               \|||/
                               /- -\ 
                              ( @ @ ) 
     ______________________oOOo--U--oOOo_______________________
                        Khaleel K. Al-Jadaan               
     Department of Electrical Engineering and Computer Science       
                       University of Michigan           
             http://www-personal.engin.umich.edu/~jadaan
                         Tel:(313) 480-4476
     ______________________________Oooo________________________
                             oooO  (   )
                            (   )   ) /
                             \ (   (_/
                              \_)                            


On Tue, 26 Nov 1996, Alain FAUCONNET wrote:

> Khaleel Al-Jadaan wrote / a ecrit:
> > 
> >  Well Alain,
> > 
> >    Both clients and server run FreeBSD version 2.1.5, I am using DNS.
> >   But not NIS. My exports file looks like this:
> >   
> >   /usr/home -ro -mapall:172.16.1.2:172.16.1.3  #IP of the two clients
> > 
> >   My network consists of three machines, one server and two clients.
> > 
> >   The root on the client machines can perform the mount without any
> >  problems, but other users are denied with massage (Client credentials
> >  too weak). Hope thats enough information and a crystal ball is not
> >  needed. 
> 
> Well honestly I've always considered that  mount(8)  was  reserved  to
> root. The man page doesn't state state it is, but that seems  more  or
> less implicit. I may br wrong.
> 
> On the other hand the man page for mountd(8) states that for  non-root
> mount  requests  to  be  accepted,  it  has  to be started with the -n
> option.
> 
> On  my  version  of FreeBSD (2.1-stable), the -mapall options seems to
> have  different  semantics,  like  -mapall=user:group.  I'm not sure what you
> expect  that /etc/exports file to do with -mapall=ip-address. Anyway I
> can  see  that  allowing a non-root user to remote mount a fs exported
> without the mapall option opens a major security  window !!
> 
> _Alain_
> -- 
> Alain FAUCONNET    Ingenieur systeme - System Manager     AP-HP/SIM
> Public Health                91 bld de l'Hopital 75013 PARIS FRANCE
> Medical Computing Research Labs         Mail: af@biomath.jussieu.fr
> Tel: (+33) 1-40-77-96-19                   Fax: (+33) 1-45-86-80-68
>     I've RTFMed. It says: "Refer to your system administrator"
>             But... I *am* the system administrator :-]
>