Samba and NFS need some explanations.
Gordon Messmer
yinyang at eburg.com
Tue Apr 11 18:53:59 UTC 2006
Zane C.B. wrote:
> On Tue, 11 Apr 2006 13:08:10 -0500
> Les Mikesell <lesmikesell at gmail.com> wrote:
>
>> Note in particular that anyone who has root access on a client
>> (or can boot a knoppix CD) can pretend to be anyone else in
>> regard to the NFS server file permissions.
>
> Yup, which is why you only want to use it in secure environments. It is
> great for sharing stuff between servers. You can tell the NFS server to
> remap root, but this largely useless though.
Usually, they're called "trusted" environments, which is different from
a "secure" environment. In a traditional NFS environment, you must
trust each workstation to which you export a filesystem, and to some
extent, you probably need to trust the users, too.
NFSv4 has made advances in that area, utilizing RPCSEC_GSS to provide
security in hostile environments (See chapter 11):
http://www.nluug.nl/events/sane2000/papers/pawlowski.pdf
Less technical discussion here:
http://blogs.sun.com/roller/page/erickustarz?entry=nfsmapid_domain
Some interesting Linux-specific configuration documentation here:
http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html
More information about the fedora-list
mailing list