root@sun1.ruf.uni-freiburg.de (Martin Walter) (06/14/91)
With HP-UX you can mount a NFS filesystem, so that the remote
device files are ignored. From the HP-UX MOUNT(1M) manual:
....... The nodevs option denies access to devices
attached to the NFS client by causing attempts to read
or write to NFS device files to return an error.
This option seems to me very useful to close certain security
holes. How can I get the same functionality on other unixes
especially under SunOS 4.1.1 ?
--
Martin Walter | Mail: mawa@sun1.ruf.uni-freiburg.de
Rechenzentrum der Universitaet | University Computing Center
Hermann-Herder-Str.10 | Phone: +49 761 203 4532
D-7800 Freiburg i.Br / Germany | FAX: +49 761 203 4122jay@silence.princeton.nj.us (Jay Plett) (06/14/91)
In article <1991Jun13.213712.27559@sun1.ruf.uni-freiburg.de>, root@sun1.ruf.uni-freiburg.de (Martin Walter) writes: ... [ nodev mount option to disallow access to devices ] ... > This option seems to me very useful to close certain security > holes. How can I get the same functionality on other unixes > especially under SunOS 4.1.1 ? You (and the rest of us) talk it up at every opportunity. With the rapidly increasing prevalence of removable-media devices, this option is essential. We need the option; it needs to be a standard option to the mount command on every system. We need to let the vendors know that we need it. Don't ever again go to a cocktail party without bringing the subject up at least three times :-) Seriously, the topic needs "recognition". Enough so that it will penetrate the sales-weenies; then they will then get it done. ...jay
tar@math.ksu.edu (Tim Ramsey) (06/14/91)
jay@silence.princeton.nj.us (Jay Plett) writes: >You (and the rest of us) talk it up at every opportunity. >With the rapidly increasing prevalence of removable-media >devices, this option is essential. We need the option; [ ... ] I agree. I don't understand the value of the "nosuid" option when making your own /dev/kmem gives you the whole boat anyway. But then, Sun ships its operating system with a "+" in /etc/hosts.equiv. :-( I'm holding out for 4.4BSD on my SPARC so I can fix things like this myself. I won't live long enough to wait for Sun to do it for me. -- Tim Ramsey/system administrator/tar@math.ksu.edu/(913) 532-6750/2-7004 (FAX) Department of Mathematics, Kansas State University, Manhattan KS 66506-2602
guy@auspex.auspex.com (Guy Harris) (06/21/91)
>I agree. I don't understand the value of the "nosuid" option when making >your own /dev/kmem gives you the whole boat anyway. But then, Sun ships >its operating system with a "+" in /etc/hosts.equiv. :-( > >I'm holding out for 4.4BSD on my SPARC so I can fix things like this >myself. I won't live long enough to wait for Sun to do it for me. Hell, I fixed the SunOS running on Auspex boxes so that "nosuid" implies "nodev" (is there *any* reason whatsoever to have two separate knobs, as HP does?) a while ago, and even sent the changes to Sun; it ain't that hard.