Date: Wed, 25 Oct 1995 00:13:25 -0500 (CDT) From: mikebo@tellabs.com To: davidg@Root.COM Cc: hackers@freebsd.org, bugs@freebsd.org Subject: Re: 2.1.0-951020-SNAP: Major bug in NFS again! Message-ID: <9510250513.AA12294@tellabk.tellabs.com> In-Reply-To: <199510250338.UAA27854@corbin.Root.COM> from "David Greenman" at Oct 24, 95 08:38:46 pm
next in thread | previous in thread | raw e-mail | index | archive | help
David G. wrote:
> The client should ignore NFS packets from hosts that it's not talking to or
> doesn't know about, and that's what all 4.4BSD derived OSs do.
>
OK... thanks for pointing this out. It's news to me.
> >I can document this behavior in SunOS, Solaris and HP/UX if it will
> >help strengthen the argument...
>
> This is obviously flamebait and I'm not going to respond to it.
>
I'm merely trying to make a case: that in order to use FreeBSD in a
heterogenous (business) environment, it needs to work with NFS servers
in the same way as commerical OSes. I didn't know this was a 4.4BSD-ism.
> If you choose not to use my suggested work-around, then I guess you can't
> use FreeBSD.
OUCH! C'mon, is this how things are supposed to work around here?
Your workaround will not work... the routes change on-the-fly! Just
to find out _which_ server interface is currently responding requires
the client admin to do a "netstat -r | grep destination-net" on the
server, and then fix the client system. How do I create an automounter
map or fstab that deals with this? Answer: Can't
> ... For the NFS client, FreeBSD requires that replies to its RPC
> requests come from the same address that they were issued to. ...
I know that in some places such security is a necessity - but it's
hard for me to picture one of my fellow engineers hand-tailoring RPC
calls/replies to hack into a system they can walk up to and reboot
with <Ctrl><Alt><Del>... ;v)
I can't dictate major changes in my corporate network to accomodate what
is essentially a hobbyist system. If I can't make it work in that context,
what is the likelyhood that this OS will be chosen for anything serious?
I agree with the spirit in which the change was made, but let's be
practical. If you can't make it work, what good is the security?
> The best I could offer you would be a kernel option to disable this
> security, but I'll say right now that this *won't* be in the 2.1 release.
>
I really appreciate that you would consider doing this! I know of at
least one other site where this is a problem. I take it this could
not simply be an option to mount?
- Mike
PS> I don't want to come off as being grumpy or confrontational. I like
FreeBSD and appreciate all the hard work everyone here does for free.
I've been an advocate of FreeBSD (been running it since 1.1), have a
lot of time invested in it, and it steams me to think that I can't
use it! Sorry for the length of the post.
--
--------------------------------------------------------------------------
Michael Borowiec - mikebo@tellabs.com - Tellabs Operations Inc.
Senior Member of Technical Staff 4951 Indiana Avenue, MS 63
708-512-8211 FAX: 708-512-7099 Lisle, IL 60532 USA
--------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9510250513.AA12294>