[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] nfs-mounted home -- security?



Jim Kronebusch wrote:
> On Thu, 08 Jun 2006 08:20:19 -0700, Dan Young wrote
>> Rob Owens wrote:
>>> If /home is nfs-mounted, what's to stop somebody with
>>> a linux laptop from hooking up to the network,
>>> creating a local user with a UID of say, 510, and then
>>> accessing the /home files of whoever normally is
>>> assigned UID 510?
>> They don't call it "No F-ing Security" for nothing! ;-)
>>
>> At least you could restrict the exported mount to the network or 
>> hosts you control with something like: /home   
>>  192.168.0.0/255.255.0.0(rw,async)
> 
> I am sure that in order to use UID 510 and gain access to the users NFS mount
> one would also have to know the password, and in that case, no protocol is
> secure.  I don't think you can just say I'm user 510 and gain access to any
> system without matching the password.

That is, in fact, how it works. You control what networks/hosts can
mount the FS, but after that the connecting host provides a UID, and the
NFS server says "yes/no" based on that and only that. As Les said, if I
bring in my own box, I can create a local user w/ whatever UID I want.
That's all for NFSv3 and prior; NFSv4 can do GSSAPI for security.

That's why I said you should ideally control authentication on all hosts
which can mount the FS.

http://nfs.sourceforge.net/nfs-howto/security.html

-- 
Dan Young <dyoung mesd k12 or us>
Multnomah ESD - Technology Services
503-257-1562


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]