Re: [DNG] NFS: was mounting /usr

[Hendrik Boom]

On Wed, Dec 06, 2017 at 09:04:39PM +, Simon Hobson wrote:
> Yevgeny Kosarzhevsky  wrote:
> 
> > Ok but this is not about NFS but about any FS that can be accessed over 
> > network.
> 
> It may help to point out something that I didn't spot when I first came 
> across NFS.
> 
> With SMB, AFS, FSoverSSH, etc, etc, etc the client authenticates to the 
> server as a specific user - and then the files accessible by that user are 
> available to the client (depending on setup, they may be accessible onto to 
> the one user, or to many users).
> So if you have a multi-user client host, each user would need their own 
> mountpoint to a shared server - with access controls applied on the server 
> side.
> 
> NFS is completely different.
> The client mounts a share, and IIRC there is no authentication possible at 
> all - at least in earlier versions, not sure if it got added in later 
> versions. Once the client has mounted the share, it takes responsibility for 
> controlling access to the files.
> So when user id 1234 tries to access a file, the client host applies the 
> permissions as though it was a local disk and allows or denies the access 
> accordingly. It should be fairly obvious that if you can't trust the client 
> host (ie be sure that user ID 1234 is really John Smith from Accounting) then 
> you have no security.

What I missed  when I used NFS ws an ability to remap user ID's 
between client and server. You got it for root, and root only --  as 
if access to root permissions is the only restriction that is 
relevant for security.

Everyone that needed root access on any of the family's machines had 
it anyway.  We needed to protect against accidents rather than 
attacks.

-- hendrik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Didier Kryn]

Le 06/12/2017 à 23:20, Steve Litt a écrit :

On Tue, 5 Dec 2017 01:14:12 -0800
Rick Moen  wrote:


How NFS mount will make your system less secure?

I'm not going to argue.  Study NFS.

In that case, what about running Samba Server on a Linux box, running
Samba clients on another, and having all shares on the Samba Server
only allow members of certain groups? Would that be any more secure
than NFS?
    AFAIR, this describes pretty much NFSv4. Very different of previous 
versions.


            Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rowland Penny]

On Wed, 6 Dec 2017 16:20:59 -0800
Rick Moen  wrote:

> Quoting Steve Litt (sl...@troubleshooters.com):
> 
> > On Tue, 5 Dec 2017 01:14:12 -0800
> > Rick Moen  wrote:
> > 
> > > > How NFS mount will make your system less secure?  
> > > 
> > > I'm not going to argue.  Study NFS.
> > 
> > In that case, what about running Samba Server on a Linux box,
> > running Samba clients on another, and having all shares on the
> > Samba Server only allow members of certain groups? 
> 
> The most obvious disadvantage is that the permission/ownership model 
> for SMB is rather different.
> https://www.samba.org/samba/docs/using_samba/ch09.html
> https://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
> 
> It would be... interesting, but you wouldn't like it.
> 

If you are going to quote something, quote something that is current:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rick Moen]

Quoting Steve Litt (sl...@troubleshooters.com):

> On Tue, 5 Dec 2017 01:14:12 -0800
> Rick Moen  wrote:
> 
> > > How NFS mount will make your system less secure?  
> > 
> > I'm not going to argue.  Study NFS.
> 
> In that case, what about running Samba Server on a Linux box, running
> Samba clients on another, and having all shares on the Samba Server
> only allow members of certain groups? 

The most obvious disadvantage is that the permission/ownership model 
for SMB is rather different.
https://www.samba.org/samba/docs/using_samba/ch09.html
https://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html

It would be... interesting, but you wouldn't like it.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Steve Litt]

On Tue, 5 Dec 2017 01:14:12 -0800
Rick Moen  wrote:

> > How NFS mount will make your system less secure?  
> 
> I'm not going to argue.  Study NFS.

In that case, what about running Samba Server on a Linux box, running
Samba clients on another, and having all shares on the Samba Server
only allow members of certain groups? Would that be any more secure
than NFS?

And yes, I am aware of the irony of my asking this question, but it's
been a long, long time, and things have changed and I've forgotten.

SteveT

Steve Litt 
December 2017 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Simon Hobson]

Yevgeny Kosarzhevsky  wrote:

> Ok but this is not about NFS but about any FS that can be accessed over 
> network.

It may help to point out something that I didn't spot when I first came across 
NFS.

With SMB, AFS, FSoverSSH, etc, etc, etc the client authenticates to the server 
as a specific user - and then the files accessible by that user are available 
to the client (depending on setup, they may be accessible onto to the one user, 
or to many users).
So if you have a multi-user client host, each user would need their own 
mountpoint to a shared server - with access controls applied on the server side.

NFS is completely different.
The client mounts a share, and IIRC there is no authentication possible at all 
- at least in earlier versions, not sure if it got added in later versions. 
Once the client has mounted the share, it takes responsibility for controlling 
access to the files.
So when user id 1234 tries to access a file, the client host applies the 
permissions as though it was a local disk and allows or denies the access 
accordingly. It should be fairly obvious that if you can't trust the client 
host (ie be sure that user ID 1234 is really John Smith from Accounting) then 
you have no security.

So NFS is good where you want lots of users to access a shared set of storage 
AND you have control of all the client hosts AND you have a means of keeping 
the users in sync. You only need one share/mount and all your users can access 
it using the normal Unix file permissions model.
It obviously doesn't work when a client is not a system that really understands 
multiple users, or you can't control user IDs.

So you can probably now see why many people consider NFS to be rather insecure 
- you HAVE to trust the client to apply file permissions correctly.

As I'd learned networking on single user systems (a bit of Netware, a bit of 
Windows 3.1 and onwards, Macs from early days) I was used to the "user sits at 
machine, authenticates to server, server applies access controls" model. It 
needed someone to point out to me what the difference was with NFS before it 
made sense.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Daniel Abrecht]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I have configured everything needed to boot using PXE using NFS as
root-filesystem at home some months ago:
http://dpa.li/pxeboot.mp4

I export the root filesystem of an lxc container read only using NFS.
It's really convenient, I can install and remove anything I want in my
lxc container, and all Systems I booted using PXE will have the new
programs immediately. At the same time, the PCs can't make any changes
on the root file systems. But I don't actually use it, I just created
that system because I can.

I guess it would be pretty useful for large companies, if it weren't
so slow and insecure. I don't think I could use kerberos in that case,
but even if I could, I wouldn't want to use it. It's just so
overcomplicated, if I could just use it over TLS or SSH directly,
without any tricks, it would be so much easier. I don't even need
encryption in my case, a simple way to check if the datas came from
the correct place and weren't altered would be sufficient, but the
only thing there is to secure NFS is kerberos, the same thing used to
secure all MS stuff, the thing best used together with Active
Directory, I don't like that. I think what NFS really needs now are
simpler alternatives to kerberos.

But I don't think mounting just /usr using NFS is a good idea, not
because of NFS, but because it's technically a removable media, it may
not always be there, even worse, in this case, it may be used and
changed by other machines. I think the main problem here is that the
current package managers can't handle installing some parts of a
software on a removable media. It would be cool to be able to just
install some software on some usb sticks or something, and to add and
remove them when the software is needed, without the package manager
and possibly the rest of the system freaking out.

-BEGIN PGP SIGNATURE-

iQFIBAEBCAAyFiEEZT8xKpcJ1eXNKSM1cASjafdLVoEFAlooKZYUHG1lQGRhbmll
bGFicmVjaHQuY2gACgkQcASjafdLVoH2DAf+MBqFuxsQC7AN2jaUW4s4QAZchZma
We2qXOd9x/zoeN15/Mt/pmTviYS0u3H9LGZAApmXEkk/mwXw1rYgmhQdV8XmtRgE
YOP3cbzfqlRb3YJlKmW53wLMupZr9/FmO3YIpQyaBx2ZkWxF1HRTUCwYFapQJ+l4
0oRZMiX/bKIDbJckiCkKNkeyPHjR74SNsb722G5i7UiaS9wQ/AeZkjNGQbXTt3Zw
9H9lwz4Erf5LLVL//6Smp/mRqBHLYU4iCG2TYZo4YlSDkioFnqLmBrhQQlL/JqDU
jkBQrRQY2Y9W7JsBGUwr33TS9ASAVGBhAJgnyf1hJfuxl7+GZcn6Hdih9Q==
=1hmx
-END PGP SIGNATURE-
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Didier Kryn]

Le 06/12/2017 à 12:55, Alessandro Selli a écrit :

On Wed, 6 Dec 2017 at 19:03:51 +0800
Yevgeny Kosarzhevsky  wrote:


On 6 December 2017 at 06:54, Alessandro Selli 
wrote:


Any good reason to refuse NFS in favor of those?

In short: no. Just be aware that NFS is as secure as the trusted networks
it
sits on. Any inside compromised machine can jeopardize the whole
distributed
filesystem.


Ok but this is not about NFS but about any FS that can be accessed over
network.

   Not quite.  NFS up to and including version 3 is plagued by serious
security weaknesses: lack of transmission security (data is transmitted
unencrypted over the network), lack of integrity (no check on the transmitted
and received data is performed at the session level, and NFS v3 is often run
over UDP) and lack of user authentication/mapping.  Most of these security
concerns are addressed by NFSv4, which for the first time supports POSIX
ACLs, RPC over port 2049 alone, authentication and encryption with built-in
integrity checks.  However this way you lose the main advantage of old NFS,
that is network efficiency, that was due to the use of UDP as the transmission
protocol.


I am not seeing any danger with NFS especially for /usr or some volatile
data storage used by several systems.

   I agree as long as you're using NFSv4 with good cryptography and user
authentication enabled and firewall rules that keep out all machines that
are not of the party.  I would only consider NFSv3 for real-time critical uses
when I can have NFS run on a private, dedicated network that was physically
inaccessible by any third party.  Or when I can have it run through a tunnel.


NFS is one of Linux base features and I am glad I found understanding of
it's importance from Devuan developers together with mountable /usr over
NFS.

   I tend to agree, but I do mind it's complexity and I only deploy it when I
need a permament distributed filesystem between machines in the same
private network.  And even then I never use it through WiFi connections.  For
all other uses I go for sshfs.  My last deployment of NFS was on a DRBL
test system, where I was using NFSv3 from a server that was
delivering it from a physically separated, cabled network.  UDP and lack of
cryptography were a boon for the old PentiumIII clients, but I do not
recommend such a layout for anything serious.


As I understood, when someone says about NFS usage, most people get
thinking that the one is going to expose it in internet to any host.

   Even in a private environment NFSv3 can lead to data sniffing/spoofing.
Consider how widespread is the use of DSL modems and routers through
which all data exchanged by the local machines goes, as well as the
presence of WiFi APs.  Anything that is not secured by good cryptography,
user authentication and solid firewall rules is a security liability in such
an environment.


    Last time I set up such an NFS service, I found NFSV4 
overcomplicated and with a different paradigm wrt the good old NFS. I 
also got the feeling it had been hijacked by MS, and I chose NFSv3, much 
simpler and familiar. It is in a network which interconnects privately a 
few hosts sitting in the same room. Why would there be any DSL, wifi or 
what-else connected to this network? Most servers come with multiple 
NICs and connecting them with a private network is easy. The NICs on 
servers are automatically reversible (server/host), so that you can 
interconnect two servers with just one normal ethernet cable. When there 
are more, you need a switch and that's all.


    I always configure NFS to use TCP. I don't know what impact it has 
on performance. What is essential and tricky is to separate what is 
shared between hosts and what isn't. Clearly /run and part of /var/lib 
must not be shared. On diskless machines, I mount /run on tmpfs and use 
a symlink trickery crossing /run, to unshare some parts of /var/lib, 
such as hwclock, ntp, and urandom. And, of course, all syslogs are 
forwarded to a remote server.


    Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Alessandro Selli]

On Wed, 6 Dec 2017 at 12:09:43 +0100
Didier Kryn  wrote:

> Le 06/12/2017 à 11:53, Alessandro Selli a écrit :
>> On Wed, 6 Dec 2017 at 11:38:25 +0100
>> Didier Kryn  wrote:
>>  
>>> Le 05/12/2017 à 23:54, Alessandro Selli a écrit :  
 On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:

 [...]
 
> Any good reason to refuse NFS in favor of those?  
 In short: no. Just be aware that NFS is as secure as the trusted
 networks it sits on. Any inside compromised machine can jeopardize the
 whole distributed filesystem.  
>>>       BTW, there's nothing secret in /usr.  
>>But you would mind a rogue node serving an NFS client of yours a
>> malicious binary executable or library in place of the original one,
>> wouldn't you? Privacy is just one, not the sole security concern.
>> Integrity is, too.  
>
>      Sure. Lock the room :-)

  I just lock the network.


Alessandro

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Alessandro Selli]

On Wed, 6 Dec 2017 at 19:03:51 +0800
Yevgeny Kosarzhevsky  wrote:

> On 6 December 2017 at 06:54, Alessandro Selli 
> wrote:
>
>>
>> > Any good reason to refuse NFS in favor of those?
>>
>> In short: no. Just be aware that NFS is as secure as the trusted networks
>> it
>> sits on. Any inside compromised machine can jeopardize the whole
>> distributed
>> filesystem.
>>
>
> Ok but this is not about NFS but about any FS that can be accessed over
> network.

  Not quite.  NFS up to and including version 3 is plagued by serious
security weaknesses: lack of transmission security (data is transmitted
unencrypted over the network), lack of integrity (no check on the transmitted
and received data is performed at the session level, and NFS v3 is often run
over UDP) and lack of user authentication/mapping.  Most of these security
concerns are addressed by NFSv4, which for the first time supports POSIX
ACLs, RPC over port 2049 alone, authentication and encryption with built-in
integrity checks.  However this way you lose the main advantage of old NFS,
that is network efficiency, that was due to the use of UDP as the transmission
protocol.

> I am not seeing any danger with NFS especially for /usr or some volatile
> data storage used by several systems.

  I agree as long as you're using NFSv4 with good cryptography and user
authentication enabled and firewall rules that keep out all machines that
are not of the party.  I would only consider NFSv3 for real-time critical uses
when I can have NFS run on a private, dedicated network that was physically
inaccessible by any third party.  Or when I can have it run through a tunnel.

> NFS is one of Linux base features and I am glad I found understanding of
> it's importance from Devuan developers together with mountable /usr over
> NFS.

  I tend to agree, but I do mind it's complexity and I only deploy it when I
need a permament distributed filesystem between machines in the same
private network.  And even then I never use it through WiFi connections.  For
all other uses I go for sshfs.  My last deployment of NFS was on a DRBL
test system, where I was using NFSv3 from a server that was
delivering it from a physically separated, cabled network.  UDP and lack of
cryptography were a boon for the old PentiumIII clients, but I do not
recommend such a layout for anything serious.

> As I understood, when someone says about NFS usage, most people get
> thinking that the one is going to expose it in internet to any host.

  Even in a private environment NFSv3 can lead to data sniffing/spoofing.
Consider how widespread is the use of DSL modems and routers through
which all data exchanged by the local machines goes, as well as the
presence of WiFi APs.  Anything that is not secured by good cryptography,
user authentication and solid firewall rules is a security liability in such
an environment.
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Didier Kryn]

Le 06/12/2017 à 11:53, Alessandro Selli a écrit :

On Wed, 6 Dec 2017 at 11:38:25 +0100
Didier Kryn  wrote:


Le 05/12/2017 à 23:54, Alessandro Selli a écrit :

On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:

[...]
  

Any good reason to refuse NFS in favor of those?

In short: no. Just be aware that NFS is as secure as the trusted networks
it sits on. Any inside compromised machine can jeopardize the whole
distributed filesystem.

      BTW, there's nothing secret in /usr.

   But you would mind a rogue node serving an NFS client of yours a malicious
binary executable or library in place of the original one, wouldn't you?
   Privacy is just one, not the sole security concern.  Integrity is, too.


    Sure. Lock the room :-)

                Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Yevgeny Kosarzhevsky]

On 6 December 2017 at 06:54, Alessandro Selli 
wrote:

>
> > Any good reason to refuse NFS in favor of those?
>
> In short: no. Just be aware that NFS is as secure as the trusted networks
> it
> sits on. Any inside compromised machine can jeopardize the whole
> distributed
> filesystem.
>

Ok but this is not about NFS but about any FS that can be accessed over
network.
I am not seeing any danger with NFS especially for /usr or some volatile
data storage used by several systems.
NFS is one of Linux base features and I am glad I found understanding of
it's importance from Devuan developers together with mountable /usr over
NFS.

As I understood, when someone says about NFS usage, most people get
thinking that the one is going to expose it in internet to any host.

-- 
Regards,
Yevgeny
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Alessandro Selli]

On Wed, 6 Dec 2017 at 11:38:25 +0100
Didier Kryn  wrote:

> Le 05/12/2017 à 23:54, Alessandro Selli a écrit :
> > On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
> >
> > [...]
> >  
> >> Any good reason to refuse NFS in favor of those?  
> > In short: no. Just be aware that NFS is as secure as the trusted networks
> > it sits on. Any inside compromised machine can jeopardize the whole
> > distributed filesystem.  
>      BTW, there's nothing secret in /usr.

  But you would mind a rogue node serving an NFS client of yours a malicious
binary executable or library in place of the original one, wouldn't you?
  Privacy is just one, not the sole security concern.  Integrity is, too.


Alessandro
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Didier Kryn]

Le 05/12/2017 à 23:54, Alessandro Selli a écrit :

On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:

[...]


Any good reason to refuse NFS in favor of those?

In short: no. Just be aware that NFS is as secure as the trusted networks it
sits on. Any inside compromised machine can jeopardize the whole distributed
filesystem.

    BTW, there's nothing secret in /usr.

    Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Alessandro Selli]

On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:

[...]

> Any good reason to refuse NFS in favor of those?

In short: no. Just be aware that NFS is as secure as the trusted networks it
sits on. Any inside compromised machine can jeopardize the whole distributed
filesystem.

Alessandro
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Yevgeny Kosarzhevsky]

On 5 December 2017 at 18:16, Arnt Gulbrandsen 
wrote:

> Yevgeny Kosarzhevsky writes:
>
>> I don't see that it will give lower security than any other FS in this
>> case.
>>
>
> Rick is trying to say: NFS has a poor reputation for accidental security
> misconfigurations. Something about the way NFS is configured leads even
> careful, clueful people to make configuration mistakes.
>
> NFS doesn't force you to make a mistake. Not at all. It just has a
> reputation for being a bit of a trouble magnet.
>
> Don't Xen and its friends offer read-only device exports from the host? So
> the the guest kernel can read a device from the host, but not modify it?
>

What is the reason to use it instead of NFS, especially if you run multiple
hardware units? It will also need special utilities and won't work without
some guest additions.
Any good reason to refuse NFS in favor of those?

-- 
Regards,
Yevgeny
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Arnt Gulbrandsen]

Yevgeny Kosarzhevsky writes:

I don't see that it will give lower security than any other FS in this case.


Rick is trying to say: NFS has a poor reputation for accidental security 
misconfigurations. Something about the way NFS is configured leads even 
careful, clueful people to make configuration mistakes.


NFS doesn't force you to make a mistake. Not at all. It just has a 
reputation for being a bit of a trouble magnet.


Don't Xen and its friends offer read-only device exports from the host? So 
the the guest kernel can read a device from the host, but not modify it?


Arnt

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rick Moen]

Quoting Yevgeny Kosarzhevsky (phao...@gmail.com):

> For me NFS is helpful in cluster environments where each machine is a
> replica of another one and they share the same data.

It's terrific for that.  

I used to construct HPC clusters of that general description when I
worked at VA Linux Systems and at California Digital Corporation, both
of those being Linux hardware vendors.

Your HPC clusters would of course live on a protect inside network.
Part of the reason for that is that NFS is a bit of a security risk.

> I don't see that it will give lower security than any other FS in this case.

OK, I believe you.  You don't see it.

But I'm still not going to spend time arguing.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Yevgeny Kosarzhevsky]

On 5 December 2017 at 17:14, Rick Moen  wrote:

>
> By 'nougat security model', I meant a network security model that is
> fragile because of having no defence in depth, highly vulnerable in the
> interior and defended only at the borders.  This is a very widespread
> problem, e.g., at many corporations that have total faith in their
> firewalls and horribly dangerous practices behind it.
>

Thanks but you are talking about another case of NFS appliance which I did
not consider.
For me NFS is helpful in cluster environments where each machine is a
replica of another one and they share the same data.
I don't see that it will give lower security than any other FS in this case.
And the ability export /usr in r/o mode will give higher security than
local /usr mount.

-- 
Regards,
Yevgeny
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rick Moen]

Quoting Yevgeny Kosarzhevsky (phao...@gmail.com):

> I don't know what's a 'nougat' security model, however I don't
> understand what you mean.

This was a semi-serious, semi-joke reference:  Honestly, 'nougat' (orig.
from the Latin 'nux' meaning nut, arriving in English via Occitan and
then French) might not have been exactly the right English-language
word, but I meant a type of confection with a hard shell and a very soft
interior.  (I'm not much of a sweets person.)

By 'nougat security model', I meant a network security model that is
fragile because of having no defence in depth, highly vulnerable in the
interior and defended only at the borders.  This is a very widespread
problem, e.g., at many corporations that have total faith in their
firewalls and horribly dangerous practices behind it.

The use of NFS is arguably reasonable behind perimeter security, but
should be noted as somewhat of a weak point within the inside network.
As I was saying upthread, NFSv4 has improved this situation somewhat
over its predecessors.

> How NFS mount will make your system less secure?

I'm not going to argue.  Study NFS.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Yevgeny Kosarzhevsky]

On 5 December 2017 at 14:21, Rick Moen  wrote:

> Quoting Didier Kryn (k...@in2p3.fr):
>
> > the NFS connection across the world-wide Internet; it is always on a
> > LAN and, given this, I don't see how it can be insecure.
>   ^^
> Ah, the 'nougat' model of security;  hard on the exterior only, soft and
> easily digestible once you get inside.  Bon appetit!


I don't know what's a 'nougat' security model, however I don't understand
what you mean.
If you get in the system with local /usr you can write there with root
access.
How would you write to read-only /usr mount in the same case?
How NFS mount will make your system less secure?
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rick Moen]

Quoting Didier Kryn (k...@in2p3.fr):

> I heard that YP aka NIS was a horrible security threat. NFS is
> certainly not very secure either. But nobody considers establishing
> the NFS connection across the world-wide Internet; it is always on a
> LAN and, given this, I don't see how it can be insecure.
   ^^

Ah, the 'nougat' model of security;  hard on the exterior only, soft and
easily digestible once you get inside.  Bon appetit!
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Rick Moen]

Quoting k...@aspodata.se (k...@aspodata.se):

> Sun's Yellow Pages is called NIS since a long time ago.

And NIS is lately spelled 'LDAP'.  ;->

NFSv4 is better and less gratuitously firewall-hostile than versions in
days of yore.

I still would carefully avoid exposing any NFS (what we traditionally 
called Nightmare File System, No Friggin' Security) to public networks.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Didier Kryn]

Le 04/12/2017 à 20:30, Steve Litt a écrit :

Back in my youth, the wise men told me that NFS was a horrible security
threat unless you also used YP, which was too sophisticated for me to
ever figure out. So these days I use sshfs, which is nice, but slower
than a turtle dragging a railroad engine.

Is NFS still a security problem? Does it still have that issue where
you never knew what port it would listen on? Do you still need YP,and
is YP as monumentally difficult as I remember it being?

Are a lot of you using NFS? Do you feel safe doing so?


    I heard that YP aka NIS was a horrible security threat. NFS is 
certainly not very secure either. But nobody considers establishing the 
NFS connection across the world-wide Internet; it is always on a LAN 
and, given this, I don't see how it can be insecure.


        Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Yevgeny Kosarzhevsky]

On 5 December 2017 at 03:30, Steve Litt  wrote:

>
> Are a lot of you using NFS? Do you feel safe doing so?
>

Yes it happens in trusted networks. I don't see any additional security
threat in this case.
I also use it in some multiple virtual machines setup to minimize hard
drive usage.
It's also can be considered as trusted environment.

-- 
Regards,
Yevgeny
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Arnt Gulbrandsen]

Steve Litt writes:

It appears you're using NFS.

Back in my youth, the wise men told me that NFS was a horrible security
threat unless you also used YP, which was too sophisticated for me to
ever figure out.


That's a long time ago and the world has changed.

Back then, the big problem was that people used "world-readable" and even 
"world-writable" settings, then then the world turned out to be a big 
place. Someone with UID 1026 somewhere could come along and read/write all 
the files belonging to the intended UID 1026.


I remember NFS-mounting someone's file systems on another continent and 
snarfing ungodly amounts of porn, it must have been in 1990 or 1991.


The world has changed. Packet filters and firewalls are now the default. 
The risk that someone can come and impersonate UID 1026 isn't a major 
factor these days.


Arnt

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[Simon Hobson]

Steve Litt  wrote:

> Back in my youth, the wise men told me that NFS was a horrible security
> threat unless you also used YP, which was too sophisticated for me to
> ever figure out. So these days I use sshfs, which is nice, but slower
> than a turtle dragging a railroad engine.
> 
> Is NFS still a security problem? Does it still have that issue where
> you never knew what port it would listen on? Do you still need YP,and
> is YP as monumentally difficult as I remember it being?
> 
> Are a lot of you using NFS? Do you feel safe doing so?

At my last place I used NFS to share a mailstore between several mail servers - 
no problems. It was quite a few years ago that I set it up, and I no longer 
have access to the systems since they made me redundant, but I'm sure I nailed 
it down to fixed ports.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] NFS: was mounting /usr

[karl]

Steve Litt:
> On Mon, 4 Dec 2017 23:12:59 +0800
> Yevgeny Kosarzhevsky  wrote:
...
> > ~# ldd /sbin/mount.nfs|grep usr
> 
> It appears you're using NFS.
> 
> Back in my youth, the wise men told me that NFS was a horrible security
> threat unless you also used YP, which was too sophisticated for me to
> ever figure out. So these days I use sshfs, which is nice, but slower
> than a turtle dragging a railroad engine.

Suns yellow pages is called nis since long time ago.

> Is NFS still a security problem?

NFS security model treated hosts, network and root as trusted, which
doesn't match the reality today. Maybe nfs v4 and kerberos solves part
of the problems.
 If you don't trust the network, perhaps running it over a tunnel will
help.

> Does it still have that issue where you never knew what port it
> would listen on?

You use portmap for that.

> Do you still need YP,and is YP as monumentally difficult as I
> remember it being?

I don't think you ever needed nis.
If you want help with nis, please ask on the list.

> Are a lot of you using NFS? Do you feel safe doing so?

It happens, not regulary.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

[DNG] NFS: was mounting /usr

[Steve Litt]

On Mon, 4 Dec 2017 23:12:59 +0800
Yevgeny Kosarzhevsky  wrote:

> Hello,
> 
> I am unable to mount empty /usr on jessie. Is there any workaround or
> should I keep some files there?
> Or is there any build for libgssapi-krb5-2 to keep its files in /lib?
> 
> ~# ldd /sbin/mount.nfs|grep usr

It appears you're using NFS.

Back in my youth, the wise men told me that NFS was a horrible security
threat unless you also used YP, which was too sophisticated for me to
ever figure out. So these days I use sshfs, which is nice, but slower
than a turtle dragging a railroad engine.

Is NFS still a security problem? Does it still have that issue where
you never knew what port it would listen on? Do you still need YP,and
is YP as monumentally difficult as I remember it being?

Are a lot of you using NFS? Do you feel safe doing so?

Thanks,

SteveT

Steve Litt 
November 2017 featured book: Troubleshooting: Just the Facts
http://www.troubleshooters.com/tjust
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng