FC5, Firefox, NFS /home
Ralf Corsepius
rc040203 at freenet.de
Tue Jun 20 17:31:40 UTC 2006
On Tue, 2006-06-20 at 17:49 +0100, Keith G. Robertson-Turner wrote:
> Ralf Corsepius wrote:
> > On Tue, 2006-06-20 at 13:20 +0100, Keith G. Robertson-Turner wrote:
> >> Garry T. Williams wrote:
> >>> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote:
> >>>> Dan wrote:
>
> >>>>> I have an FC5 server which has exported /home via NFS. Client
> >>>>> machines automount /home.
>
> >>>> Using /home as a network share is inherently insecure,
>
> >>> What does that mean?
>
> > Paranoia :)
>
> Paranoia is a word used by people who have not *yet* been hacked. It's
> also a word used by people who have not *yet* had their house broken
> into. I take it you do lock your door when you leave your house? Does
> that make you paranoid?
>
> >> Threats To Server Security
> >>
> https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html
> >>
> >> ######
> >> "Inherently Insecure Services
> >>
> >> Another example of insecure services are network file systems and
> >> information services such as NFS or NIS which are developed
> >> explicitly for LAN usage but are, unfortunately, extended to
> >> include WANs (for remote users).
>
> > Note: LAN!
>
> Note: WAN!
>
> If your network can see the Internet, then the Internet can see your
> network, and potentially everything on it.
That's what firewalls, DMZ and SELinux etc. are for.
> A firewall is only one
> barrier to intruders, and is not infallible.
True, nothing is infallible.
> Sharing any data on a LAN is inherently insecure,
Well, NFS/NIS with NFS mounted homes are the traditional unix way for
networking for many (I guess for ca. 20 years) - IMO, it's not as risky
as you seem to think it is.
> but the risks are
> acceptable if the data being shared is not private and valuable, and
> the network is otherwise secured.
Exactly.
The primary risks with NFS/NIS stem from abuse inside of a LAN (spying
on data, passwords, trojans etc.). IMO, the risks of being intruded from
the outside (WAN) are not much higher than on any network being
connected to a WAN.
> Sharing your /home directory versus
> sharing non-private data, is a bit like the difference between leaving
> an old beat up car unlocked, versus leaving a Ferrari unlocked, while
> you pop into the store. I'm quite sure there are some people who have
> no private data that they wish to protect, either from prying eyes, or
> from theft or destruction, but I am not one of them.
Sorry, NFS shared homes doesn't necessarily mean "everybody can access
everything". There still are file permissions, /etc/export controls,
network segmenting/subnetting, acls and or even encryption.
> > IMO, NFS/NIS are perfectly suitable for use inside of a LAN. Of
> > cause these services impose a certain level on insecurity, but at a
> > certain point paranoia has to stop and trust has to start.
>
> Take a look at your firewall or router logs. See those IPs? See the
> ports those IPs are attempting to connect to?
Yes, .. and ... firewall denies, drops ...
> The above example depends on a Windows vulnerability, but do not be
> complacent and believe this could never happen to you, just because
> you run Linux.
Of cause ...
Ralf
More information about the fedora-list
mailing list