> i think he was referring to using root-squash. it's an entirely pointless > option > and does not make the nfs exporting any more secure (disallowing root access > to > files like it would be allowed locally is pointless as if u are root - u can > setuid/seteuid or su to the user id u need then do your dirty work - it just > become more painful - that's all). we _know_ nfs is not secure. we have no other _secure_ option. we use nfs, and make life harder on a would-be intruder: the main concern in our organization is an inside attack. since no one can close all holes, the motto is "make intrusion as hard as possible". one such way, is using root squash.
> that was his point - its an option that may > mistakenly make people think their file exports are "more secure" :) we dont think it is more secure. we think it will give an intruder a hard time (writing 2 extra command lines _is_ a hard time....). > you can use it - in a few minutes with no code changes. remove root squash. > it's > a pointless option (as above) :) not an option. > entrance uses method A for writing the > .Xautharity file ie write as root then chown. xdm uses method B - seteuid, > then > write. BOTH are valid methods but method A happens to not work over nfs with > root-squash. since imho root-squash is a pointless option anyhow... both > methods > are equally valid :) ok. end of discussion. i thank you all for your answers and comments. if, for some unknow reason you decide to support method B, we'll be happy to use entranced. until then, we'll stick with kdm. cheers, -- ========================================================= Nir Tzachar.
signature.asc
Description: This is a digitally signed message part
