Garry T. Williams wrote: > On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote: >> Dan wrote: >>> I have an FC5 server which has exported /home via NFS. Client >>> machines automount /home. >> Using /home as a network share is inherently insecure, > What does that mean? Threats To Server Security https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html ###### "Inherently Insecure Services Even the most vigilant organization that does their job well and keeps up with their daily responsibilities can fall victim to vulnerabilities if the services they choose for their network are inherently insecure. There are certain services that were developed under the assumption that they will be used over trusted networks; however, this assumption falls short as soon as the service becomes available over the Internet. <...> Another example of insecure services are network file systems and information services such as NFS or NIS which are developed explicitly for LAN usage but are, unfortunately, extended to include WANs (for remote users). NFS does not, by default, have any authentication or security mechanisms configured that will prevent a cracker from simply mounting the NFS share and accessing anything contained therein. NIS, as well, has vital information that must be known by every computer on a network, including passwords and file permissions, within a plain text ACSII or DBM (ASCII-derived) database. A cracker can take this database and find the passwords of each and every user on a network, including the administrator." ###### Or IOW: Private data ($HOME) should be isolated from potentially publicly accessible network shares, even if there are other security mechanisms in place to safeguard it (firewall), since those mechanisms could potentially be compromised by vulnerabilities. If that data is isolated from inherently insecure services, the risks are reduced considerably. -- K.