tiger 1:3.2.3-10 / usr / lib / tiger / doc / nfs.txt

This file is indexed.

/usr/lib/tiger/doc/nfs.txt is in tiger 1:3.2.3-10.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
%nfs001f
The anonymous ID defines the 'uid' to be used for authenticating
NFS requests which have no credentials.  Setting this to 0 is
very dangerous.  It allows the system to be compromised from client
machines.
%nfs002w
The anonymous ID defines the 'uid' to be used for authenticating
NFS requests which have no credentials.  Setting this to 0 is
very dangerous.  It allows all files to be searched, possibly
revealing security problems.
%nfs003w
Exporting the root file-system allows remote machines to
access critical files such as /etc/passwd, possibly allowing
the machine to be compromised.
%nfs004f
Exporting the root file system allows remote machines to
access critical file such as /etc/passwd.  Exporting this
R/W to everyone means that on the Internet can modify system
files, allowing them to gain further access to the machine.
%nfs005f
Exporting the root file system allows remote machines to
access critical file such as /etc/passwd.  Exporting this
to everyone means that anyone on the Internet can browse system
files, allowing them to find other security problems.
%nfs006f
Exporting a file-system R/W to everyone means that anyone can
modify the data on your system, possibly making changes that
allow them to login to the system and access or destroy other
files.

See `nfs013i'
%nfs007w
Exporting a directory to everyone means that anyone can
look at your files.  The information gained can possibly
be used to gain further access to the machine.

See `nfs013i'
%nfs008f
Exporting the root file system read only and with root access
will allow the remote machine to view system files,
possibly allowing them to gain further access to the
machine.
%nfs009f
Exporting the root file system with R/W and root access
will allow the remote machine to edit system files,
such as /etc/passwd, allowing them to gain access to the
machine.
%nfs010i
Exporting a file-system with root access can allow the
a user on the remote host to gain further access on
the local machine.  Removing root exports is a means
of limiting the number of affected machines in the
event that a machine(s) is compromised.  In this case,
the directory is protected on the server because the
permissions are '700'.  Note on some platforms, if this
is not the root directory of a file-system, then the
server may still be vulnerable.
%nfs011w
The listed directory is exported with root access to a
machine, and the directory is accessible on the server.
By setting the permissions to 'rwx------', if the client is
compromised, the server can not be compromised by any files
which are placed underneath this directory, since they will	
be unreachable by a non-privileged user on the server.
Note on some platforms, if this is not the root directory
of a file-system, then the server may still be vulnerable.

%nfs012w
The directory for a disk-less client is exported with
root access, but the directory is not protected on the
server because the permissions are not '700'.  By setting
the permissions of the directory to `700', any files created
from the client machine will not be accessible on the server.
Note on some platforms, if this is not the root directory
of a file-system, then the server may still be vulnerable.

NOTE:  For the disk-less clients '/' (root) directory, the
permissions can *not* be `700' as non-root processes on the
client will not be able to access any files.  The permissions
on the parent directory on the server should be set to `700'
(or if feasible, the root directory of the file-system on which
the directory resides should be set to `700').
%nfs013i
A common problem with setting up NFS exports is the inability
to get the client access to work.  Often, in frustration,
the administrator of the machine removes the export restrictions
and exports the file systems to everyone.  This problem is
usually caused by host name mismatches.  On most implementations
of NFS, the name matching is case sensitive.  The name specified
in the exports file (or equivalent) must match exactly.  One
way of determining the correct name is to login to the client,
then use `telnet' to login to the server.  The `who' or `finger'
command can then be used to determine the client host name (it
may be truncated, but enough information should be listed to
determine the correct name).  This host name should be used in
the access list in the exports file.
%nfs014w
Exporting the `/usr' partition with read/write access can allow
the server to be compromised if the client is compromised.  An
intruder can replace system binaries.  By exporting it read/only,
they will be unable to do this.

APT Browse - Built by Thomas Orozco.