Subject: Re: security/6594: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)
To: NetBSD GNATS submissions and followups <gnats-bugs@gnats.netbsd.org>
From: David Laight <david@l8s.co.uk>
List: netbsd-bugs
Date: 09/08/2002 09:33:14
> > Yes - I was wondering whether that ought to be tightly enforced?
> > ie even if a file has uid -2 it still can't be accessed?
>
> Ah, _NO_! :-)
>
> > The permissions for created files become problematical...
>
> Indeed! Perhaps you should look at some clusters of diskless clients in
> real production use. The client superusers must quite often be able to
> create files, and subsequently access the files they create, even on
> partitions where they do not have superuser access (and indeed in some
> cases they may not ever have any superuser access to any files on any
> filesystems).
It is a long time since I've had access to such a cluster (sun3s)
and I didn't set it up. However under those circumstances the admin
would almost certainly explicitely map remote root access to a
specific local user.
David
--
David Laight: david@l8s.co.uk