Say we've got John.Doe (uid of 534) who has network access to /net/Server/Files, but it requires that John.Doe be in the 'Privileged' group, with gid of 509
Currently nothing's stopping Mark from creating a VM, creating for himself a user named John.Doe with uid 534, and creating Privileged as a group with gid of 509. Then adding his user to it. And voila. NFS allows it.
We have root_squash enabled on our shares. Is our only recourse using all_squash? This seems like a security hole. NIS has the securenets file. That's something. Is there anything like that for NFS?
[link] [comments]