[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gids assigned non-deterministically

[Tim Dijkstra]
> Hmm, pam_group doesn't sound to secure to me... what if on one
> machine gid 110 is www-data and on another plugdev. Then if a user
> logs in on the second machine it will get access to gid 110, make
> some suid executable, which on another machine ... Well the nfs
> mount is nosuid, but still, I find this a bit scary.

You are right.  The groups in use on an NFS mounted directory should
be the same across all machines.  So you should avoid making any files
with those gids on NFS-exported file system.

Petter Reinholdtsen

Reply to: