From: jared r r spiegel (jrrsice-nine.org)
Date: Wed Feb 09 2005 - 05:54:59 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  /etc/security yells at me for having globally exported
  filesystems.

--email warning--
Checking for globally exported file systems.
File system /MNT/oliphant globally exported, read-write.
-----------------

--exports--
/MNT/oliphant -maproot=0 -network=192.168.7.0 -mask=255.255.255.224
-----------

  192.168.7.0 is internal LAN-facing iface.

  i thought "globally" would imply, say, -network=0.0.0.0, so
  tried to look at /etc/security itself. i don't know
  for sure if i am interpreting the awk correctly, but
  it seems that it considers a filesystem to be
  globally exported if it does not find on that line at least
  one option which begins with a character that is not a dash.
  
  is this because the process of determining the scope of
  the '-network' a filesystem is exported to, whether or not
  it is global, or really only a specific few hosts to which
  access is restricted, is beyond the scope of the script, or
  otherwise too heavy or impossible to automatically determine
  with 100% accuracy each time?

  i guess, further, if that's right, is the workaround for
  having a filesystem exported over NFS to a finite scope of
  hosts ( eg LAN ) and not receive warnings from daily
  security checker, to use the facility provided by netgroup(5)?
( if so, hopefully a netgroup name beginning with a dash is
  invalid, if i made a correct judgement above? )

  jared

--

[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]