Comment 38 for bug 13795

On Thu, Mar 17, 2005 at 07:25:56AM +1100, <email address hidden> wrote:
> Bill Allombert <email address hidden> wrote:
>
> >> ... any machines that share user files via writable NFS mounts are
> >> vulnerable. (Are vulnerable if you mount an NFS filesystem that is
> >> writable to others.)
> >
> > No that is not true. You need to use root_squash for any semblance of
> > security anyway. In that case you can also use squash_gids to prevent
> > the attack.
>
> Note that root_squash is default, squash_gids is not; there is no

Then the solution is to make squash_gids staff the default.

> recommendation to squash_gids staff. My machines do not know about
> squash_gids (in "man exports", package nfs-kernel-server, versions
> 1.0-2woody3 or 1.0.6-3.1);

At least woody nfs-user-server has it.

> I wonder if non-Debian OSs know.

How is it relevant ? this is a server-side setting.

> (The issue of "real" users in group staff also remains.)

There is no users in staff by default. Member of the group staff
normally has root access as well. The goal of group staff is to protect
against errors, not mischief.

Ho, and if you did not blacklist me I would be in a better mood to
discuss with you, thanks. Please read the bug log for other answers you
might have missed.

Cheers,
--
Bill. <email address hidden>

Imagine a large red swirl here.