[562] in bugtraq
Re: CERT, about NFS
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Dec 22 14:52:01 1994
From: Leo Bicknell <bicknell@csugrad.cs.vt.edu>
To: mouse@Collatz.McRCIM.McGill.EDU (der Mouse)
Date: Thu, 22 Dec 1994 10:59:54 -0500 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <199412211532.KAA00835@Collatz.McRCIM.McGill.EDU> from "der Mouse" at Dec 21, 94 10:32:05 am
> > 1. Do *not* self-reference an NFS server in its own exports file.
> > 2. Do not allow the exports file to contain a "localhost" entry.
>
> Anyone know why these are recommended? As far as I can see, if your
> portmapper doesn't do proxy calls and/or you firewall out port 111, and
> you don't care about local attacks, neither C.1 nor C.2 will buy you
> anything further. Am I missing something, or are these bits of advice
> simply there for people who don't do A and B?
I recall an old bug (possibly in a CERT advisory)
about NFS and exporting to localhost. I can't remember what
it is off the top of my head, and I'm not at school to look it up,
but I think it was something along the lines of if you mounted
a filesystem to localhost permissions were no longer checked for
some reason.
Of course, if you don't worry about local attacks it's
not a problem, but many of us do. Someone with easy access
to CERT advisories might want to look back a year or so
and see waht all the "localhost NFS bug" entailed.
