FreeBSD Jumpstart Guide
Manolis Kiagias
sonic2000gr at gmail.com
Tue Mar 3 16:40:52 UTC 2009
Lazaro Daniel Salem wrote:
> Hi!
>
> In this very nice article
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/article.html
>
> it is said:
>
> Warning!!: This procedure will make the "Server" both insecure and
> dangerous, it is best to just keep the "Server" on its own hub and not
> in any way accessible by any machines other than the "Clients".
> <http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pxe/article.html>
>
> I assume exporting NFS to the whole (sub)network and running tftp makes
> the system more vulnerable though I am not sure I remember all the
> details.
Just by reading the article (and not ever having performed this) it
seems this is the insecure part:
(/etc/exports)
/usr -alldirs -ro
This is exporting to the whole world - in theory someone from the
Internet could mount it.
It would be a lot safer if it where:
/usr -network 10.8.253.0 -mask 255.255.255.0 -alldirs -ro
(using the network the author provides in the sample dhcpd.conf)
In theory DHCP would assign you an address that would have access to
this, and you would not have to share /usr to the entire planet. I
don't know if I am overlooking something though.
More information about the freebsd-doc
mailing list