[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nfs exports



On Mon, Nov 22, 2004 at 01:03:47AM -0600, Casey Boone wrote:
> the userlists are the same for each box (as both have my normal user
> account as the only account not created during the install, so both
> have uid of 500)

FWIW, using LDAP/NIS/whatever is the "right" way to have the user
lists in sync.

> what are the security implications of using nfs?

NFS has no authentication other than IP address checking, and you know
how easy it is to spoof an IP.  (You can do some real authentication
with Kerberos, but, honestly, Kerberos frightens me.)  It is also
completely unencrypted, so anyone on the wire can sniff your NFS
traffic.

Arguably the right way to solve both problems is to use IPsec or some
other strong crypto on the wire between the systems.  Whether it is
really worth it is left as an exercise for the reader.  ;-)

> i also want the root user to have access to the shares just like they
> are local drive mounts (ie being able to override permissions and
> whatnot).

Add "no_root_squash" to the appropriate lines in /etc/exports.  Using
that option means that anyone running as root on a box with an IP that
your server allows access from can control everything, but when you
think about it, they can pretty much do that anyway.  (They can su to
any UID they want, and can then control files owned by that UID.)  All
"root_squash" (the default) really means is "no chown".

Yes, NFS really does mean "No F*ing Security", but it is fast and
trivial to set up, so it is still the most useful network-based
filesystem on Linux IMHO.

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-3000             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.