Re: Fwd: Multiple vendor 'Taylor UUCP' problems.

From: Andrey A. Chernov (ache@nagual.pp.ru)
Date: 09/09/01 

Date: Sun, 9 Sep 2001 06:20:25 +0400
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Kris Kennaway <kris@obsecurity.org>

On Sat, Sep 08, 2001 at 19:10:13 -0700, Kris Kennaway wrote:
> Actually, I think I was overstating a bit. You can't set UFS file
> flags on an NFS volume, but they should work fine if already set on
> the server and /usr is mounted by a client.
>
> What will break is trying to do an installworld onto a remote NFS
> volume, or installworld within a jail, since in order for that to
> succeed you have to tell it not to set file flags, and that will leave
> you with a local root exploit on the installed system.

This is different problem we already have in other places, since we
install f.e. libc, sliplogin, login, chpass, etc. etc. with -fschg

It means no remote NFS installation allowed. 

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Fwd: Multiple vendor Taylor UUCP problems.
    ... >> What will break is trying to do an installworld onto a remote NFS ... >> succeed you have to tell it not to set file flags, ... >> you with a local root exploit on the installed system. ...
    (FreeBSD-Security)
  • Re: Whats the best / most popular open-source IMAP server these days?
    ... the mbox file is synchronized to ... see if messages were expunged or flags were changed. ... I'm doing some OS-specific NFS cache flushing calls to force ... Dovecot internally does this "synchronization" step ...
    (comp.mail.imap)
  • Problem in NFS client code in RHEL 3 (kernel 2.4.21-20.ELsmp)
    ... Are there any kernel NFS gurus here? ... using RPC and access the same files that are located on an NFS server. ... is passed as the "flags" parameter. ...
    (comp.os.linux.development.system)
  • Re: ZFS to support chflags?
    ... problems when I installworld an NFS root on the NFS host, then try to work with it over NFS from the NFS-booted system, as the flags can't be removed via NFS. ... They don't offer a security benefit as-installed, and perhaps offer a benefit with respect to preventing people from shooting themselves in the foot. ... E.g. hardlink system binaries over multiple jails flaged immuteable. ... the standard installworld doesn't do this. ...
    (freebsd-current)
  • [PATCH] NFS: fix client hang due to race condition
    ... The flags field in struct nfs_inode is protected by the BKL. ... disappear from the output of 'top' and there is no NFS activity between ... invalidate page cache too */ ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
Quantcast