http://mars.netanya.ac.il/~unesco/cdrom/LDP/NFS/HTML_FORMAT/NFS-HOWTO-6.html
Another important thing is to ensure that nfsd checks that all it's requests comes from a privileged port. If it accepts requests from any old port on the client a user with no special privileges can run a program that's is easy to obtain over the Internet. It talks nfs protocol and will claim that the user is anyone the user wants to be. Spooky. The Linux nfsd does this check by default, on other OSes you have to enable this check yourself. This should be described in the nfsd man page for the OS.
Another thing. Never export a file system to 'localhost' or 127.0.0.1. Trust me.
新版的說
http://nfs.sourceforge.net/nfs-howto/ar01s06.html
The TCP ports 1-1024 are reserved for root's use (and therefore sometimes referred to as "secure ports") A non-root user cannot bind these ports. Adding the secure option to an /etc/exports means that it will only listed to requests coming from ports 1-1024 on the client, so that a malicious non-root user on the client cannot come along and open up a spoofed NFS dialogue on a non-reserved port. This option is set by default.
舊的版本說,只要相信從1024以下來的client,而且不要給localhost連線。這有點道理,如果相信從localhost來的1024以上的連線,可能是假造的。
但是應該只要做其中一項就好了吧,外部的連線不管是不是1024以下的都有可能會是假的。
不知道為什麼linux的實作還是這樣。
在mac上面mount_nfs要加上
-o resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)
意思就是說這樣根本沒什麼用就對了。
如果沒有加這個的話,會出現 /Volumes/nfs: Permission Denied
或是在nfs server /etc/exports 加上 insecure
2010年7月25日 星期日
2010年3月2日 星期二
Build XNU Kernel
http://shantonu.blogspot.com/2009/09/mac-os-x-kernel-source-xnu-has-been.html
The Mac OS X kernel source (xnu) has been released for Mac OS X 10.6 Snow Leopard: here
Building xnu requires some open source (but not pre-installed) tools. Darwinbuild is the most reliable way for building these dependencies and xnu itself. Until that is ready, you can build the tools manually as follows:
The Mac OS X kernel source (xnu) has been released for Mac OS X 10.6 Snow Leopard: here
Building xnu requires some open source (but not pre-installed) tools. Darwinbuild is the most reliable way for building these dependencies and xnu itself. Until that is ready, you can build the tools manually as follows:
- Download the build tools source(s)
$ curl -s -O http://www.opensource.apple.com/tarballs/cxxfilt/cxxfilt-9.tar.gz
$ curl -s -O http://www.opensource.apple.com/tarballs/dtrace/dtrace-78.tar.gz
$ curl -s -O http://www.opensource.apple.com/tarballs/kext_tools/kext_tools-177.tar.gz
$ curl -s -O http://www.opensource.apple.com/tarballs/bootstrap_cmds/bootstrap_cmds-72.tar.gz - Unpack the tools
$ tar zxf cxxfilt-9.tar.gz
$ tar zxf dtrace-78.tar.gz
$ tar zxf kext_tools-177.tar.gz
$ tar zxf bootstrap_cmds-72.tar.gz - Build cxxfilt
$ cd cxxfilt-9
$ mkdir -p obj sym dst
$ make install RC_ARCHS="i386 x86_64" RC_CFLAGS="-arch i386 -arch x86_64 -pipe" RC_OS=macos RC_RELEASE=SnowLeopard SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
...
$ sudo ditto $PWD/dst/usr/local /usr/local
Password:
$ cd .. - Build dtrace
$ cd dtrace-78
$ mkdir -p obj sym dst
$ xcodebuild install -target ctfconvert -target ctfdump -target ctfmerge ARCHS="i386 x86_64" SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
...
$ sudo ditto $PWD/dst/usr/local /usr/local
Password:
$ cd .. - Build kext_tools
$ cd kext_tools-177
$ mkdir -p obj sym dst
$ xcodebuild install -target kextsymboltool -target setsegname ARCHS="i386 x86_64" SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
...
$ sudo ditto $PWD/dst/usr/local /usr/local
Password:
$ cd .. - Build bootstrap_cmds
$ cd bootstrap_cmds-72
$ mkdir -p obj sym dst
$ make install RC_ARCHS="i386" RC_CFLAGS="-arch i386 -pipe" RC_OS=macos RC_RELEASE=SnowLeopard SRCROOT=$PWD OBJROOT=$PWD/obj SYMROOT=$PWD/sym DSTROOT=$PWD/dst
...
$ sudo ditto $PWD/dst/usr/local /usr/local
Password:
$ cd .. - Download the xnu source
$ curl -s -O http://www.opensource.apple.com/tarballs/xnu/xnu-1456.1.26.tar.gz - Unpack xnu
$ tar zxf xnu-1456.1.26.tar.gz - Build xnu
$ cd xnu-1456.1.26
$ make ARCH_CONFIGS="I386 X86_64" KERNEL_CONFIGS="RELEASE"
...
$ file BUILD/obj/RELEASE_*/mach_kernel
BUILD/obj/RELEASE_I386/mach_kernel: Mach-O executable i386
BUILD/obj/RELEASE_X86_64/mach_kernel: Mach-O 64-bit executable x86_64
原來,blogspot沒有引用的功能...
訂閱:
文章 (Atom)