Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tlug: NFS question
- To: tlug@example.com
- Subject: Re: tlug: NFS question
- From: Frank Bennett <bennett@example.com>
- Date: 19 Oct 1998 10:14:28 +0900
- Content-Type: text/plain; charset=US-ASCII
- In-Reply-To: Karl-Max Wagner's message of "Sat, 17 Oct 1998 22:34:57 +0000 (GMT)"
- References: <199810172234.WAA00616@example.com>
- Reply-To: tlug@example.com
- Sender: owner-tlug@example.com
Karl-Max has apparently unsubscribed himself from the list, so this is a bit in the way of postscript (no pun intended). Karl-Max Wagner <karlmax@example.com> writes: > You can do that. It is, however, inherently insecure. NFS being > what it is you have already to restrict the act of exportation > of directories as much as possible. I admit that my way is > somewhat more difficult to administer, but it offers at least a > minimum of security. I don't see what extra security is gained in this way: all users have access to the /etc/passwd file locally, and that tells them everything they need to know to crack all user directories, if they can obtain root access to any machine on (or added to) the network. > > To protect against this, I figure that each subdirectory needs a > > file like ~/.checkname, owned by root but readable to everyone > > else. The /etc/profile script that runs before ~/.bash_profile > > will check the content of this, and compare it with the result of > > "whoami". If there's a discrepancy, the server knows that the > > user is spoofing his identity, and script issues an immediate > > "exit", killing the shell. > > > > Can anyone see obvious holes in this? > > Easy. Just rename you client to have an identity that fits and > you're in business. A moment's further reflection would have told me this was the case --- oops. It does indeed look as though NFS is going to be an open shop if we opt for that. Bother. > One more reason to switch to SSH / SSL. A URL or other reference would have been useful. Can anyone indicate in a few words what SSH / SSL _are_? Cheers, -- -x80 Frank G Bennett, Jr @@ Faculty of Law, Nagoya Univ () email: bennett@example.com Tel: +81[(0)52]789-2239 () WWW: http://rumple.soas.ac.uk/~bennett/ --------------------------------------------------------------- Next Nomikai: 20 November, 19:30 Tengu TokyoEkiMae 03-3275-3691 Next Meeting: 12 December, 12:30 Tokyo Station Yaesu central gate --------------------------------------------------------------- Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp
- References:
- Re: tlug: NFS question
- From: Karl-Max Wagner <karlmax@example.com>
- Re: tlug: NFS question
- Prev by Date: Re: tlug: Intranet
- Next by Date: Re: tlug: kanji or romaji for Japanese? (was: parallel-port IDE)
- Prev by thread: Re: tlug: NFS question
- Next by thread: Re: tlug: NFS question
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |