Re: nfs help?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>> If I am user 500, username Tim on one box, and export /home to another,
>> I really also want to be user 500, on the second box.  Then, I can
>> access my files on both PCs.  And, that mount is handled by root.

Ambrogio:
> well, is for that that NFS is considered unsure.

"Unsecure" means not safe, "unsure" means not really known.  It kinda
changes the meaning of a few things...  I don't know what would be
"unsure" about NFS.  ;-)

> I can be on your lan with my PC in which user 500 is not TIM and mount
> your home.
> SURELY, Only if /etc/exports permits that.

The default way that it works is it can't/doesn't prohibit it, and
that's why NFS earned the other nickname of standing for No Fucking
Security.  

It (foolishly) trusts the client machines to be secure in themselves,
rather than handle security at the server.  By default, and tradition
(i.e. older NFS versions) there isn't a way for NFS to restrict to
particular users.  You'd need something else, as well (e.g. kerberos in
addition to NFS).

> I read something about NFS v4 that is capable to use some more sure
> protocol (Kerberos I think).

I've only read that v4 offers some extra security features, I haven't
got around to looking into how and why.

>> Server's /etc/export file:
>> /home *.localdomain(rw,sync)
>> 
>> This exports part of the file system to my LAN, the /home partition, and
>> each user within that file system's home directories get exported as-is
>> (Tim's files are Tim's elsewhere, johndoe's files are his elsewhere, and
>> so on).
>> 
>> Client's /etc/fstab file:
>> server.localdomain:/home  /mnt/server/home  nfs  auto,intr,noexec,nodev
>> 
>> This mounts the export on a client machine.  Root is doing the mount,
>> but because the individual directories are owned by other people, and
>> NFS understands ownership, ownership is maintained on both sides, so
>> long as you set up the client machines with the same user IDs on both
>> sides.

> Thinking like Microsoft does (and a lot of customer does), IT Admin
> think that exporting the entire home is more insecure that exporting
> single directory.

It's certainly true that exporting a whole tree, like home, or worse,
the root, is insecure.

> So the exports is like that
> /home/user1 pc1.localdomain(rw,sync)
> /home/user2 pc2.localdomain(rw,sync)

That still wouldn't be "secure".  All that another user would have to do
to get at someone else's data, would be reconfigure their network
address to pretend to be the other PC.  For that simplistic way of
separating users, you'd have to have different interfaces per user, so a
hacker would have to repatch the server, not just change their address,
to get in.

-- 
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux