Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: NFS mounts
From: jsz @ ramon . bgu . ac . il
Date: Fri, 4 Feb 94 2:35:58 IST
To: ark @ lance . tis . llnl . gov (Alene Kercheval), robert @ puente . jpl . nasa . gov, firewalls @ greatcircle . com
Cc: daryl @ cs . athabascau . ca
In-reply-to: <9402031742 . AA12581 @ lance . tis . llnl . gov>; from "Alene Kercheval" at Feb 3, 94 9:42 am

-----BEGIN PGP SIGNED MESSAGE-----

> just put an access list in the /etc/exports file
> as so

> <exported filesystem>   -access=<ok host>:<ok host>

> then only the hosts in the list will be allowed to mount the filesystem.

Well, not really, not always, at least if you don't filter 2049 at the
router. There have been *at least* 6-7 very obscure holes that would 
circumvent all the checks that the mount daemon implements, examples --
If NFS server has an /etc/exports file which contains an "-access=" string
longer than 256 bytes, the file system for which this line appears will be 
exported to the world. [there is a sun patch that fixes it], also
indirect RPC mount calls allow you to mount exported dir, and etc.

 ---Jonathan

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLVGXoL0flWZuAMvBAQFQaQP+Lv1gEIHjmOQm6aWRj0/0tHwOueYir7nA
SlcU1w+VZ3dPD5bCHwHUQFAHdaAJj+UeRNVzxEfi0hqdPQZLoZ5j+4Ws+Wm2btCp
YiY6+D2P/kVshpM9YySsm7vqmVqIYPdOlDYJ/cJwZFIam962/w1CX/w/3cf0gVzv
i5XrM6oy5zc=
=5a21
-----END PGP SIGNATURE-----



References:
  • Re: NFS mounts
    From: ark @ lance . tis . llnl . gov (Alene Kercheval)
Indexed By Date Previous: Re: nfs ACL's
From: sdw @ meaddata . com (Stephen Williams)
Next: Re: NFS mounts
From: Scott McClung <mcclung @ nawc690 . chinalake . navy . mil>
Indexed By Thread Previous: Re: NFS mounts
From: Andrew L Hazeltine <andy @ wizard . VF . GE . COM>
Next: Re: NFS mounts
From: richard @ wizard . ucs . sfu . ca (Richard Chycoski)

Google
 
Search Internet Search www.greatcircle.com