On Mon, Aug 28, 2006 at 08:39:41AM +1000, Paul Szabo wrote: > There is a warning in "man exports" against other sensitive UIDs, but > not against sensitive GIDs. There are no sensitive UIDs on a default > Debian installation, but there is a sensitive GID mandated by policy; > there is no default or easy gid_squash on NFS exports. The intended > security benefit of root_squash is defeated. > > (This is not really a bug in NFS, but a result of broken policy; maybe > NFS could document the issue, or help change policy.)
I'm not sure how you think this is supposed to be solved, but about no matter what, this is the wrong package. nfs-utils doesn't do any of the squashing; it's just the part responsible for setting up the mount and that's it. If you really think more than one gid should be squashed, you should reassign to the kernel -- if you think this is a policy bug, you should reassign to the policy package. The only thing I could think of changing in nfs-utils (except support an updated interface for gid squashing) would be documentation, in which case this is wishlist. /* Steinar */ -- Homepage: http://www.sesse.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
