Re: FC5, Firefox, NFS /home

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-06-20 at 17:49 +0100, Keith G. Robertson-Turner wrote:
> Ralf Corsepius wrote:
>  > On Tue, 2006-06-20 at 13:20 +0100, Keith G. Robertson-Turner wrote:
>  >> Garry T. Williams wrote:
>  >>> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote:
>  >>>> Dan wrote:
> 
>  >>>>> I have an FC5 server which has exported /home via NFS. Client
>  >>>>> machines automount /home.
> 
>  >>>> Using /home as a network share is inherently insecure,
> 
>  >>> What does that mean?
> 
>  > Paranoia :)
> 
> Paranoia is a word used by people who have not *yet* been hacked. It's
> also a word used by people who have not *yet* had their house broken
> into. I take it you do lock your door when you leave your house? Does
> that make you paranoid?
> 
>  >> Threats To Server Security
>  >> 
> https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html
>  >>
>  >> ######
>  >> "Inherently Insecure Services
>  >>
>  >> Another example of insecure services are network file systems and
>  >> information services such as NFS or NIS which are developed
>  >> explicitly for LAN usage but are, unfortunately, extended to
>  >> include WANs (for remote users).
> 
>  > Note: LAN!
> 
> Note: WAN!
> 
> If your network can see the Internet, then the Internet can see your
> network, and potentially everything on it. 
That's what firewalls, DMZ and SELinux etc. are for.

> A firewall is only one
> barrier to intruders, and is not infallible.
True, nothing is infallible.

> Sharing any data on a LAN is inherently insecure,
Well, NFS/NIS with NFS mounted homes are the traditional unix way for
networking for many (I guess for ca. 20 years) - IMO, it's not as risky
as you seem to think it is.

>  but the risks are
> acceptable if the data being shared is not private and valuable, and
> the network is otherwise secured.
Exactly.

The primary risks with NFS/NIS stem from abuse inside of a LAN (spying
on data, passwords, trojans etc.). IMO, the risks of being intruded from
the outside (WAN) are not much higher than on any network being
connected to a WAN.

>  Sharing your /home directory versus
> sharing non-private data, is a bit like the difference between leaving
> an old beat up car unlocked, versus leaving a Ferrari unlocked, while
> you pop into the store. I'm quite sure there are some people who have
> no private data that they wish to protect, either from prying eyes, or
> from theft or destruction, but I am not one of them.
Sorry, NFS shared homes doesn't necessarily mean "everybody can access
everything". There still are file permissions, /etc/export controls,
network segmenting/subnetting, acls and or even encryption.

>  > IMO, NFS/NIS are perfectly suitable for use inside of a LAN. Of
>  > cause these services impose a certain level on insecurity, but at a
>  > certain point paranoia has to stop and trust has to start.
> 
> Take a look at your firewall or router logs. See those IPs? See the
> ports those IPs are attempting to connect to?
Yes, .. and ... firewall denies, drops ...

> The above example depends on a Windows vulnerability, but do not be
> complacent and believe this could never happen to you, just because
> you run Linux.
Of cause ... 

Ralf



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux