Re: [DNG] NFS: was mounting /usr

2017-12-07 Thread Hendrik Boom
On Wed, Dec 06, 2017 at 09:04:39PM +, Simon Hobson wrote: > Yevgeny Kosarzhevsky wrote: > > > Ok but this is not about NFS but about any FS that can be accessed over > > network. > > It may help to point out something that I didn't spot when I first came > across NFS. >

Re: [DNG] NFS: was mounting /usr

2017-12-07 Thread Didier Kryn
Le 06/12/2017 à 23:20, Steve Litt a écrit : On Tue, 5 Dec 2017 01:14:12 -0800 Rick Moen wrote: How NFS mount will make your system less secure? I'm not going to argue. Study NFS. In that case, what about running Samba Server on a Linux box, running Samba clients on

Re: [DNG] NFS: was mounting /usr

2017-12-07 Thread Rowland Penny
On Wed, 6 Dec 2017 16:20:59 -0800 Rick Moen wrote: > Quoting Steve Litt (sl...@troubleshooters.com): > > > On Tue, 5 Dec 2017 01:14:12 -0800 > > Rick Moen wrote: > > > > > > How NFS mount will make your system less secure? > > > > > > I'm not going

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Rick Moen
Quoting Steve Litt (sl...@troubleshooters.com): > On Tue, 5 Dec 2017 01:14:12 -0800 > Rick Moen wrote: > > > > How NFS mount will make your system less secure? > > > > I'm not going to argue. Study NFS. > > In that case, what about running Samba Server on a Linux box,

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Steve Litt
On Tue, 5 Dec 2017 01:14:12 -0800 Rick Moen wrote: > > How NFS mount will make your system less secure? > > I'm not going to argue. Study NFS. In that case, what about running Samba Server on a Linux box, running Samba clients on another, and having all shares on the

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Simon Hobson
Yevgeny Kosarzhevsky wrote: > Ok but this is not about NFS but about any FS that can be accessed over > network. It may help to point out something that I didn't spot when I first came across NFS. With SMB, AFS, FSoverSSH, etc, etc, etc the client authenticates to the

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Daniel Abrecht
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I have configured everything needed to boot using PXE using NFS as root-filesystem at home some months ago: http://dpa.li/pxeboot.mp4 I export the root filesystem of an lxc container read only using NFS. It's really convenient, I can install and

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Didier Kryn
Le 06/12/2017 à 12:55, Alessandro Selli a écrit : On Wed, 6 Dec 2017 at 19:03:51 +0800 Yevgeny Kosarzhevsky wrote: On 6 December 2017 at 06:54, Alessandro Selli wrote: Any good reason to refuse NFS in favor of those? In short: no. Just be

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Alessandro Selli
On Wed, 6 Dec 2017 at 12:09:43 +0100 Didier Kryn wrote: > Le 06/12/2017 à 11:53, Alessandro Selli a écrit : >> On Wed, 6 Dec 2017 at 11:38:25 +0100 >> Didier Kryn wrote: >> >>> Le 05/12/2017 à 23:54, Alessandro Selli a écrit : On 05/12/2017 at 11:46,

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Alessandro Selli
On Wed, 6 Dec 2017 at 19:03:51 +0800 Yevgeny Kosarzhevsky wrote: > On 6 December 2017 at 06:54, Alessandro Selli > wrote: > >> >> > Any good reason to refuse NFS in favor of those? >> >> In short: no. Just be aware that NFS is as secure as the

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Didier Kryn
Le 06/12/2017 à 11:53, Alessandro Selli a écrit : On Wed, 6 Dec 2017 at 11:38:25 +0100 Didier Kryn wrote: Le 05/12/2017 à 23:54, Alessandro Selli a écrit : On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote: [...] Any good reason to refuse NFS in favor of those? In

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Yevgeny Kosarzhevsky
On 6 December 2017 at 06:54, Alessandro Selli wrote: > > > Any good reason to refuse NFS in favor of those? > > In short: no. Just be aware that NFS is as secure as the trusted networks > it > sits on. Any inside compromised machine can jeopardize the whole >

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Alessandro Selli
On Wed, 6 Dec 2017 at 11:38:25 +0100 Didier Kryn wrote: > Le 05/12/2017 à 23:54, Alessandro Selli a écrit : > > On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote: > > > > [...] > > > >> Any good reason to refuse NFS in favor of those? > > In short: no. Just be aware that NFS

Re: [DNG] NFS: was mounting /usr

2017-12-06 Thread Didier Kryn
Le 05/12/2017 à 23:54, Alessandro Selli a écrit : On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote: [...] Any good reason to refuse NFS in favor of those? In short: no. Just be aware that NFS is as secure as the trusted networks it sits on. Any inside compromised machine can jeopardize the

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Alessandro Selli
On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote: [...] > Any good reason to refuse NFS in favor of those? In short: no. Just be aware that NFS is as secure as the trusted networks it sits on. Any inside compromised machine can jeopardize the whole distributed filesystem. Alessandro

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Yevgeny Kosarzhevsky
On 5 December 2017 at 18:16, Arnt Gulbrandsen wrote: > Yevgeny Kosarzhevsky writes: > >> I don't see that it will give lower security than any other FS in this >> case. >> > > Rick is trying to say: NFS has a poor reputation for accidental security > misconfigurations.

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Arnt Gulbrandsen
Yevgeny Kosarzhevsky writes: I don't see that it will give lower security than any other FS in this case. Rick is trying to say: NFS has a poor reputation for accidental security misconfigurations. Something about the way NFS is configured leads even careful, clueful people to make

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Rick Moen
Quoting Yevgeny Kosarzhevsky (phao...@gmail.com): > For me NFS is helpful in cluster environments where each machine is a > replica of another one and they share the same data. It's terrific for that. I used to construct HPC clusters of that general description when I worked at VA Linux

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Yevgeny Kosarzhevsky
On 5 December 2017 at 17:14, Rick Moen wrote: > > By 'nougat security model', I meant a network security model that is > fragile because of having no defence in depth, highly vulnerable in the > interior and defended only at the borders. This is a very widespread > problem,

Re: [DNG] NFS: was mounting /usr

2017-12-05 Thread Rick Moen
Quoting Yevgeny Kosarzhevsky (phao...@gmail.com): > I don't know what's a 'nougat' security model, however I don't > understand what you mean. This was a semi-serious, semi-joke reference: Honestly, 'nougat' (orig. from the Latin 'nux' meaning nut, arriving in English via Occitan and then

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Yevgeny Kosarzhevsky
On 5 December 2017 at 14:21, Rick Moen wrote: > Quoting Didier Kryn (k...@in2p3.fr): > > > the NFS connection across the world-wide Internet; it is always on a > > LAN and, given this, I don't see how it can be insecure. >

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Rick Moen
Quoting Didier Kryn (k...@in2p3.fr): > I heard that YP aka NIS was a horrible security threat. NFS is > certainly not very secure either. But nobody considers establishing > the NFS connection across the world-wide Internet; it is always on a > LAN and, given this, I don't see how it can be

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Rick Moen
Quoting k...@aspodata.se (k...@aspodata.se): > Sun's Yellow Pages is called NIS since a long time ago. And NIS is lately spelled 'LDAP'. ;-> NFSv4 is better and less gratuitously firewall-hostile than versions in days of yore. I still would carefully avoid exposing any NFS (what we

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Didier Kryn
Le 04/12/2017 à 20:30, Steve Litt a écrit : Back in my youth, the wise men told me that NFS was a horrible security threat unless you also used YP, which was too sophisticated for me to ever figure out. So these days I use sshfs, which is nice, but slower than a turtle dragging a railroad

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Yevgeny Kosarzhevsky
On 5 December 2017 at 03:30, Steve Litt wrote: > > Are a lot of you using NFS? Do you feel safe doing so? > Yes it happens in trusted networks. I don't see any additional security threat in this case. I also use it in some multiple virtual machines setup to minimize

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Arnt Gulbrandsen
Steve Litt writes: It appears you're using NFS. Back in my youth, the wise men told me that NFS was a horrible security threat unless you also used YP, which was too sophisticated for me to ever figure out. That's a long time ago and the world has changed. Back then, the big problem was that

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread Simon Hobson
Steve Litt wrote: > Back in my youth, the wise men told me that NFS was a horrible security > threat unless you also used YP, which was too sophisticated for me to > ever figure out. So these days I use sshfs, which is nice, but slower > than a turtle dragging a

Re: [DNG] NFS: was mounting /usr

2017-12-04 Thread karl
Steve Litt: > On Mon, 4 Dec 2017 23:12:59 +0800 > Yevgeny Kosarzhevsky wrote: ... > > ~# ldd /sbin/mount.nfs|grep usr > > It appears you're using NFS. > > Back in my youth, the wise men told me that NFS was a horrible security > threat unless you also used YP, which was too

[DNG] NFS: was mounting /usr

2017-12-04 Thread Steve Litt
On Mon, 4 Dec 2017 23:12:59 +0800 Yevgeny Kosarzhevsky wrote: > Hello, > > I am unable to mount empty /usr on jessie. Is there any workaround or > should I keep some files there? > Or is there any build for libgssapi-krb5-2 to keep its files in /lib? > > ~# ldd