Bug#384922: NFS insecure without support for squashing multiple groups

To: jrnieder@gmail.com
Cc: 384922@bugs.debian.org, vorlon@debian.org
Subject: Bug#384922: NFS insecure without support for squashing multiple groups
From: paul.szabo@sydney.edu.au
Date: Sun, 19 Feb 2012 22:59:34 +1100
Message-id: <[🔎] 201202191159.q1JBxYMM017647@bari.maths.usyd.edu.au>
Reply-to: paul.szabo@sydney.edu.au, 384922@bugs.debian.org
In-reply-to: <[🔎] 20120218171611.GA10638@burratino>

> ... AUTH_SYS with untrusted root on clients is not a good fit ...
> NFSv4 with kerberos authentication would be less broken.  root_squash
> is a simplistic and incomplete band-aid.

NFSv4+krb is better only because it does not have a concept of groups.
Remove groups from AUTH_SYS, ignoring all groups or in other words doing
"manage primary group" similar to secondaries with -manage_gids, and
issue might be solved.
(In that sense NFSv4+krb is more broken, less feature-rich, than
AUTH_SYS.)

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Follow-Ups:
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Jonathan Nieder <jrnieder@gmail.com>

References:
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Jonathan Nieder <jrnieder@gmail.com>

Prev by Date: Re: Sparc netboot image is too large to boot (again)
Next by Date: Bug#660464: linux-source-3.2: KMS is not working for Radeon 9250
Previous by thread: Bug#384922: NFS insecure without support for squashing multiple groups
Next by thread: Bug#384922: NFS insecure without support for squashing multiple groups
Index(es):
- Date
- Thread