(this is more theoretical knowledge than experiencial, so correct me if I'm wrong)
Basically, NFS is one of those odd occurrences of poorly designed security in Unix. Functionality, however, is generally very nice if done right. Notice the quote below that neither Users or Hosts are easily authenticated. This is important because the filesystem is basically made use of as if it were local. If have something like NIS, that isn't as big a problem, but if you're not using NIS, you could have a user ID which is 501 on one box and 100 on another. Since all security is done through numbers, this would create an inconsistency between the two machines... and allow the user to access user 501's files on the other machine. Also, since the Hosts can't be authenticated, it is not difficult to make your hacker laptop look like an authorized host (by downing or unplugging a host from the network) and suddently your user 0 (root) has access to all files shared on NFS on the network, without having to know anyone else's password. How's that? Does that scare you? Granted, if you run this locally, you have the security of your lock and walls... unless you run wireless, and that isn't a lot of security anyway. On Sun, 24 Nov 2002 02:11:54-0500 Jerry McBride <[EMAIL PROTECTED]> wrote: > On Sun, 24 Nov 2002 00:13:52 -0500 "Brett I. Holcomb" > <[EMAIL PROTECTED]> wrote: > > > Jerry, what do we need to look out for as far as security goes for > > NFS systems? I was of the understanding NFS can have security > > problems. > > > > > > If it's firewalled, the only security concern is internal. If you open > the firewall up for access by clients across the network, you open > yourself for all kinds of trouble as NFS transactions are totally "in > the clear". And I got news for you... samba ain't much better. :') > > NFS falls easy victim to any hacker that can sniff a packet and > arrange a spoof attack. > > I found a wonderfully content rich article covering the fine points of > hardening your NFS connections via ssh at Sys Admin Magazine... > > If I may quote: > > "The main problems with NFS are that it relies on the inherently > insecure UDP protocol, transactions are not encrypted, hosts and users > cannot be easily authenticated, and its difficulty in firewalling..." > > The complete article covering the fine points of hardening your NFS > connections via ssh is at: > http://www.samag.com/documents/s=4072/sam0203d/sam0203d.htm > > > > -- > > ********************************************************************* > ********* > Registered Linux User Number 185956 > http://groups.google.com/groups?hl=en&safe=off&group=linux > Join me in chat at #linux-users on irc.freenode.net > 12:41am up 1 day, 2:25, 3 users, load average: 0.20, 0.28, > 0.28 > _______________________________________________ > Linux-users mailing list > [EMAIL PROTECTED] > Unsubscribe/Suspend/Etc -> > http://www.linux-sxs.org/mailman/listinfo/linux-users
msg08883/pgp00000.pgp
Description: PGP signature
