Zane C.B. wrote:
On Tue, 11 Apr 2006 13:08:10 -0500
Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
Note in particular that anyone who has root access on a client
(or can boot a knoppix CD) can pretend to be anyone else in
regard to the NFS server file permissions.
Yup, which is why you only want to use it in secure environments. It is
great for sharing stuff between servers. You can tell the NFS server to
remap root, but this largely useless though.
Usually, they're called "trusted" environments, which is different from
a "secure" environment. In a traditional NFS environment, you must
trust each workstation to which you export a filesystem, and to some
extent, you probably need to trust the users, too.
NFSv4 has made advances in that area, utilizing RPCSEC_GSS to provide
security in hostile environments (See chapter 11):
http://www.nluug.nl/events/sane2000/papers/pawlowski.pdf
Less technical discussion here:
http://blogs.sun.com/roller/page/erickustarz?entry=nfsmapid_domain
Some interesting Linux-specific configuration documentation here:
http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html
