On Fri, 31 Jan 2003, Kevin Jackson wrote: > If you mean from "if they have physical access to the box and are > determined, they'll get root anyway" you mean exploit some unpatched > service on the system -- then you may aswell forget about and type of NFS > "squash" option altogether! ...as we are in a different territory now. > See other securityfocus.com mailing lists on that one! ;-)
No, if someone has physical access to a PC they can turn it off, open the case, short the jumper to clear the BIOS, boot from a floopy or CD and get root. Securing the services and network won't help if you allow untrusted users to have unsupervised access [which is eventually going to happen at some point in any classroom or lab] to the hardware. With that in mind, it makes sense to build a solution in which a person with root access to a machine on the network still cannot modify another users files. NFS doesn't get you that.