Excerpts from internet.info-afs: 9-Feb-94 Re: by Bob [EMAIL PROTECTED]
> The obvious part is that NFS requires merely a userid to gain access to
> NFS-mounted file systems.
>
> If user "bob" has access rights on an NFS directory, then anybody with
> root access on a remote host who can mount the file system can
> masquerade as "bob" and access the directory. The part that might not
> be obvious is that translator tokens aren't PAG-related, so if "bob" has
> valid server tokens, then any other "bob" that accesses the server will
> also have tokens.
>
> -Bob
This problem could easily be solved by using the Kerberos UID-mapping
hack Athena did with Kerberos 4. One module needs to be added to the
kernel (nfsmapctl) and I was able to do that on my Sun 3 running SunOS
4.1.1. However, the rest of the work involved is:
a) rebuild rpc.mountd... source is provided with the Athena mods
b) fix a module already present in the kernel, nfs_server.o
Unfortunately you need Sun NFS source to do that, or you need to hack
their routines into whatever kernel NFS implementation you are using.
Since I haven't a Sun NFS source license, nor have I yet found an
implementation of NFS which I can plop into my kernel, I can't test any
of this.
-D
