Berkeley CSUA MOTD:Entry 20678
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/11 [General] UID:1000 Activity:popular
7/11    

2001/2/24-26 [Computer/SW/Unix] UID:20678 Activity:high
2/24    Is there a good reason why UNIX prohibits normal users from
        making NFS mounts?
        \_ Well, it's not as good as prohibiting ANYONE from making an
           NFS mount, but you have got to let SOMEONE do whatever they want on
           a system, NFS mounts, after all, aren't ALWAYS the wrong solution.
           (just usually).
        \_ Solaris automounter allows any user to mount a filesystem from
           remote host as long as it is exported to you. So there is a way
           to do this on unix.
              \_ automounter bad. very bad. evil. spawn of the devil.
                 only bill's network neighborhood is worse.
                 if you need automounter functionality use AFS (its free
                 now). AFS good.
           \_ you don't do it, the autofs system does it for you.  you
              as a normal user just make requests to autofs.  you can not,
              as a normal user with normal user permissions, ask autofs
              to mount a NFS export on any arbitrary mount point, only
              on those mount points that autofs is configured to manage --
              say /net, /home, /project, and you can not tell autofs, as
              a normal user, what mount options to use --jon
              \_ That's what I mean jon. Being able to mount things under
                 /net is still much better than not being able to mount
                 anything at all.
        \_ If you could mount any filesystem you want, anywhere you want,
           then you could do something like mount your own filesystem on
           /etc containing a passwd file in which you know the root passwd
           and give yourself root.  (This is just one of many possibilities.)
           \_ First of all, both /etc and /etc/passwd already exist and
              they're both owned by root on that machine. You can't
              overwrite them. Second of all, if there were to be such
                \_ The standard mount command lets you mount any filesystem
                   on any directory, empty or full.
              thing as user-controlled NFS you shouldn't have any more
              permissions than you normally would. In other words, if I
              don't have permission to create a new file or directory in
              / I shouldn't have the permission to mount a drive at that
              location.
                \_ But I could remotely mount your home directory on my
                   machine where I have root and su to the same uid/gid you
                   have on the remote host and then fuck with your files
                   over nfs as "you".  Depending on how the mount points
                   \_ We're talking about user controlled NFS clients, not
                   are exported, I could do the same to root owned files
                   as well, such as /usr, /var, and others.  Got the picture?
                   \_ We're talking about user conhamstered NFS clients, not
                   \_ We're talking about user controlled NFS clients, not
                      servers. As an NFS server, I, as root, would never
                      let you mount my disk so that you can fuck around
                      have a SMB-like user-controlled mounting of remote
                      with it unless you had a legit reason in which case
                      I would have created a little restricted sandbox
                      directory for you to muck around with. But I think
                      have a SMB-like user-conhamstered mounting of remote
                      it would be a useful idea (and relatively safe) to
                      have a SMB-like user-controlled mounting of remote
                      filesystems. I have yet to see why this is unsafe.
                      I have an account on CSUA called jondoe. On my
                      Unix box at home I want to mount everything in
                      ~jondoe at CSUA by supplying my jondoe username/
                      password pair and everything in ~jondoe is mounted
                      on my home computer. CSUA will only let me access
                      files in ~jondoe with the same permissions that
                      jondoe himself would normally be able to access.
                      \_ Yes.  That's all well and good.  Now explain what
                         prevents me from setting up a jondoe account on _my_
                         home machine with _your_ uid/gui and mounting _your_
                         jondoe account.  NFS has what sort of security to
                         prevent this?  None.  Please explain why I couldn't
                         do this.
                         \_ First of all, even stock NFS controls what
                            machines you export to.  Obviously it would be
                            silly to export csua home directories to the
                            world with no restrictions, but if you trust
                            a particular machine, this isn't a problem.
                            And second, NFS does have the facility to
                            use public-key authentication, though it's not
                            often used around here.  -tom
                         \_ Because you have to have jondoe's password to do
                            this.  Think of it this way.  jondoe logs into
                            csua, and types some magical command called
                            "nfsexport home-machine-ip" which exports HIS
                            home directory to that IP.  Or, he can run
                            "nfsexport jondoe@csua", type in his CSUA
                            password, and get access to his files.  Yes,
                            NFS has minimalistic security, but it doesn't
                            have to be NFS, maybe another similar system.
                            Now explain to me why this won't work, and why
                            this system, which would seem very useful,
                            isn't in place.
                      \_ Yes!  This is exactly what I mean.  Why isn't this
                         done?                -original poster
                         \_ Can you think about the potential problems?
                         \_ jondoe is exporting. Different from mounting.
                            What was your question again?
        \_ Switch to plan9.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/11 [General] UID:1000 Activity:popular
7/11    

You may also be interested in these entries...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/8/30-11/7 [Computer/SW/Apps, Computer/SW/Unix] UID:54470 Activity:nil
8/30    Is wall just dead? The wallall command dies for me, muttering
        something about /var/wall/ttys not existing.
        \_ its seen a great drop in usage, though it seems mostly functional.
            -ERic
        \_ Couldn't open wall log!: Bad file descriptor
           Could not open wall subscription directory /var/wall/ttys: No such file or directory
	...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/3/29-6/4 [Computer/HW/Memory, Computer/HW/CPU, Computer/HW/Drives] UID:54351 Activity:nil
3/29    A friend wants a PC (no mac). She doesn't want Dell. Is there a
        good place that can custom build for you (SSD, large RAM, cheap video
        card--no game)?
        \_ As a side note: back in my Cal days more than two decades ago when
           having a 387SX made me the only person with floating-point hardware,
           most machines were custom built.
	...
2012/5/8-6/4 [Computer/SW/Unix] UID:54383 Activity:nil
5/8     Hello everyone!  This is Josh Hawn, CSUA Tech VP for Spring 2012.
        About 2 weeks ago, someone brought to my attention that our script
        to periodically merge /etc/motd.public into /etc/motd wasn't
        running.  When I looked into it, the cron daemon was running, but
        there hadn't been any root activity in the log since April 7th.  I
        looked into it for a while, but got lost in other things I was
	...