On Thu, Aug 31, 2006 at 01:05:41PM +1000, Paul Szabo wrote: > > The last two points are true by default on Debian, but the first three > > points are configuration decisions on the part of the NFS server > > administrator. I understand that you have reasons to export shares allowing > > suid binaries in your own environment, but then you can also reconfigure > > root's path or the permissions on /usr/local/* in that case.
> Sorry, the NFS server administrator does not really have control over the > first point. Of course they do; no NFS share is ever exported to a machine without the admin explictly granting it in /etc/exports. It happens to be very dangerous to share a filesystem via NFS between systems that have different security contexts. This does not make it a critical bug for the kernel to not support a particular method of mitigating this danger, or for nfs-utils to not enable it by default; it just means that NFS may not be suitable for certain configurations as a result. And in bug #299007, ugidd was also mentioned as a solution that would provide everything that squash_gids would, and then some. > Sorry, as I read Debian policy (and as discussed in #299007), I am not > permitted to change root's PATH or change the permissions on /usr/local. *You* are permitted to do either of these things. Whether they will be done by default in *Debian* is a separate question. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]