Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: NFS question




Karl-Max has apparently unsubscribed himself from the list, so
this is a bit in the way of postscript (no pun intended).

Karl-Max Wagner <karlmax@example.com> writes:

> You can do that. It is, however, inherently insecure. NFS being
> what it is you have already to restrict the act of exportation
> of directories as much as possible. I admit that my way is
> somewhat more difficult to administer, but it offers at least a
> minimum of security.

I don't see what extra security is gained in this way: all users
have access to the /etc/passwd file locally, and that tells them
everything they need to know to crack all user directories, if
they can obtain root access to any machine on (or added to) the
network.

> > To protect against this, I figure that each subdirectory needs a
> > file like ~/.checkname, owned by root but readable to everyone
> > else.  The /etc/profile script that runs before ~/.bash_profile
> > will check the content of this, and compare it with the result of
> > "whoami".  If there's a discrepancy, the server knows that the
> > user is spoofing his identity, and script issues an immediate
> > "exit", killing the shell.
> > 
> > Can anyone see obvious holes in this?
> 
> Easy. Just rename you client to have an identity that fits and
> you're in business. 

A moment's further reflection would have told me this was the
case --- oops.  It does indeed look as though NFS is going to be
an open shop if we opt for that.  Bother.

> One more reason to switch to SSH / SSL.

A URL or other reference would have been useful.  Can anyone
indicate in a few words what SSH / SSL _are_? 

Cheers,
-- 
-x80
Frank G Bennett, Jr         @@
Faculty of Law, Nagoya Univ () email: bennett@example.com
Tel: +81[(0)52]789-2239     () WWW:   http://rumple.soas.ac.uk/~bennett/
---------------------------------------------------------------
Next Nomikai: 20 November, 19:30 Tengu TokyoEkiMae 03-3275-3691
Next Meeting: 12 December, 12:30 Tokyo Station Yaesu central gate
---------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links