[K12OSN] nfs-mounted home -- security?
Dan Young
dyoung at mesd.k12.or.us
Thu Jun 8 21:19:12 UTC 2006
Jim Kronebusch wrote:
> On Thu, 08 Jun 2006 08:20:19 -0700, Dan Young wrote
>> Rob Owens wrote:
>>> If /home is nfs-mounted, what's to stop somebody with
>>> a linux laptop from hooking up to the network,
>>> creating a local user with a UID of say, 510, and then
>>> accessing the /home files of whoever normally is
>>> assigned UID 510?
>> They don't call it "No F-ing Security" for nothing! ;-)
>>
>> At least you could restrict the exported mount to the network or
>> hosts you control with something like: /home
>> 192.168.0.0/255.255.0.0(rw,async)
>
> I am sure that in order to use UID 510 and gain access to the users NFS mount
> one would also have to know the password, and in that case, no protocol is
> secure. I don't think you can just say I'm user 510 and gain access to any
> system without matching the password.
That is, in fact, how it works. You control what networks/hosts can
mount the FS, but after that the connecting host provides a UID, and the
NFS server says "yes/no" based on that and only that. As Les said, if I
bring in my own box, I can create a local user w/ whatever UID I want.
That's all for NFSv3 and prior; NFSv4 can do GSSAPI for security.
That's why I said you should ideally control authentication on all hosts
which can mount the FS.
http://nfs.sourceforge.net/nfs-howto/security.html
--
Dan Young <dyoung at mesd.k12.or.us>
Multnomah ESD - Technology Services
503-257-1562
More information about the K12OSN
mailing list