FC5, Firefox, NFS /home
Keith G. Robertson-Turner
fedora-gmane.00002 at genesis-x.nildram.co.uk
Tue Jun 20 16:49:09 UTC 2006
Ralf Corsepius wrote:
> On Tue, 2006-06-20 at 13:20 +0100, Keith G. Robertson-Turner wrote:
>> Garry T. Williams wrote:
>>> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote:
>>>> Dan wrote:
>>>>> I have an FC5 server which has exported /home via NFS. Client
>>>>> machines automount /home.
>>>> Using /home as a network share is inherently insecure,
>>> What does that mean?
> Paranoia :)
Paranoia is a word used by people who have not *yet* been hacked. It's
also a word used by people who have not *yet* had their house broken
into. I take it you do lock your door when you leave your house? Does
that make you paranoid?
>> Threats To Server Security
>>
https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html
>>
>> ######
>> "Inherently Insecure Services
>>
>> Another example of insecure services are network file systems and
>> information services such as NFS or NIS which are developed
>> explicitly for LAN usage but are, unfortunately, extended to
>> include WANs (for remote users).
> Note: LAN!
Note: WAN!
If your network can see the Internet, then the Internet can see your
network, and potentially everything on it. A firewall is only one
barrier to intruders, and is not infallible.
Sharing any data on a LAN is inherently insecure, but the risks are
acceptable if the data being shared is not private and valuable, and
the network is otherwise secured. Sharing your /home directory versus
sharing non-private data, is a bit like the difference between leaving
an old beat up car unlocked, versus leaving a Ferrari unlocked, while
you pop into the store. I'm quite sure there are some people who have
no private data that they wish to protect, either from prying eyes, or
from theft or destruction, but I am not one of them.
> IMO, NFS/NIS are perfectly suitable for use inside of a LAN. Of
> cause these services impose a certain level on insecurity, but at a
> certain point paranoia has to stop and trust has to start.
Take a look at your firewall or router logs. See those IPs? See the
ports those IPs are attempting to connect to? See the origin of those
IPs? At what point exactly do you start trusting Russian Mafia
pharmaceutical traders, attempting to break into you machine, to use
it as an open relay for spam, or to steal your Personally Identifiable
Data, or contact lists? Am I being paranoid? Are you sure?
> You don't wear a hardhat and a bullet-proof suite at home, don't
> you? Uhh, beware, your wife has access to knifes ... ;)
The difference is, that I chose to live with my wife, and share
everything with her. I do *not* choose to share my life and the
contents of my /home directory with Chinese hackers or Russian
Blackmailers.
http://news.bbc.co.uk/1/hi/england/manchester/5034384.stm
The above example depends on a Windows vulnerability, but do not be
complacent and believe this could never happen to you, just because
you run Linux.
--
K.
More information about the fedora-list
mailing list