> ... AUTH_SYS with untrusted root on clients is not a good fit ... > NFSv4 with kerberos authentication would be less broken. root_squash > is a simplistic and incomplete band-aid.
NFSv4+krb is better only because it does not have a concept of groups. Remove groups from AUTH_SYS, ignoring all groups or in other words doing "manage primary group" similar to secondaries with -manage_gids, and issue might be solved. (In that sense NFSv4+krb is more broken, less feature-rich, than AUTH_SYS.) Cheers, Paul Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
