[K12OSN] nfs-mounted home -- security?

Les Mikesell les at futuresource.com
Thu Jun 8 21:05:15 UTC 2006


On Thu, 2006-06-08 at 15:53 -0500, Jim Kronebusch wrote:
> On Thu, 08 Jun 2006 08:20:19 -0700, Dan Young wrote
> > Rob Owens wrote:
> > > If /home is nfs-mounted, what's to stop somebody with
> > > a linux laptop from hooking up to the network,
> > > creating a local user with a UID of say, 510, and then
> > > accessing the /home files of whoever normally is
> > > assigned UID 510?
> > 
> > They don't call it "No F-ing Security" for nothing! ;-)
> > 
> > At least you could restrict the exported mount to the network or 
> > hosts you control with something like: /home   
> >  192.168.0.0/255.255.0.0(rw,async)
> 
> I am sure that in order to use UID 510 and gain access to the users NFS mount
> one would also have to know the password, and in that case, no protocol is
> secure.  I don't think you can just say I'm user 510 and gain access to any
> system without matching the password.

If you can be root on the local box (bring your own, boot it with
knoppix, hit the F-something key on an LTSP client with a shell
enabled on a virtual console, etc.) you can pretend to be anyone
else with no password and access anyone else's files that you
can NFS-mount to that box.  It would be best to use a separate network
for the k12ltsp server -> NFS home server connection if possible
and limit the nfs connections to that range.  Or at least restrict
access to the known IP addresses of the servers that are supposed
to mount it.

-- 
   Les Mikesell
     les at futuresource.com





More information about the K12OSN mailing list