Xref: utzoo comp.protocols.nfs:2218 comp.unix.questions:30775
Newsgroups: comp.protocols.nfs,comp.unix.questions
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!barmar
From: barmar@think.com (Barry Margolin)
Subject: Re: Personal NFS?
Message-ID: <1991Apr26.161440.13729@Think.COM>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA, USA
References: <1991Apr24.000005.7810@bradley.bradley.edu> <4034@inews.intel.com>
Date: Fri, 26 Apr 91 16:14:40 GMT

In article <4034@inews.intel.com> bhoughto@pima.intel.com (Blair P. Houghton) writes:
>Basically, RTFM mount(8) and umount(8).  If your sysadmin has
>turned off your permission to invoke mount or umount, scream
>loudly.  The only thing you need to do either is write permission
>in the directory, and the right sort of connectivity to the
>remote system (most routers and gateways prevent nfs activity
>through them, but the workstation in the next cubicle is a
>short hop).

According to the SunOS 4.1.1 man page, "mount(2) may be invoked only be the
super-user."  Mount(8) generally isn't setuid, so it inherits this
restriction.  There are good reasons for this.

A mount command that can be used by ordinary users would have to be very
careful.  It would have to turn on the "nosuid" option so that the user
couldn't create security holes by mounting a remote file system that has
unwanted setuid-root programs.

Another problem is if the remote file system contains device special files.
I've always believed that the nosuid option should also disable recognition
of device files, but most implementations don't do this.  So, the remote
file system could contain a device file with the same major and minor
device numbers as /dev/kmem, but owned by the user doing the mount.  This
is a big security hole.

It's not true that "most routers and gateways prevent nfs activity through
them".  Most routers and gateways just pass everything through.  Some
routers can be configured to censor what they pass (we use such a router
for our connection to the Internet), but it's probably not the case that
most sites use this feature.  However, most NFS servers have a
configuration file that lists who they will allow to mount their file
systems.
--
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar