Mailinglist Archive: opensuse (3156 mails)
| < Previous | Next > |
Re: [opensuse] Re: NFS sync vs. async mounts
- From: Anders Johansson <ajh@xxxxxxxxxx>
- Date: Sun, 23 Dec 2007 19:23:48 +0100
- Message-id: <200712231923.49063.ajh@xxxxxxxxxx>
On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
I already responded to that, but ok: it only helps if root is the only one
allowed to write to the share. As soon as you have a user with write
permissions, a client can fake that user ID, because the server trusts it.
With nfs4 + kerberos, this problem doesn't exist. Users are properly
authenticated
Anders
--
Madness takes its toll
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Anders Johansson wrote:
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully
trusts the client about user IDs. It won't put viruses on your machines,
but it does mean that if you don't control the root account on all
machines, anyone can read any file, or write to any share.
Nah, if you use root_squash that isn't going to happen. remote nfs root
access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one
allowed to write to the share. As soon as you have a user with write
permissions, a client can fake that user ID, because the server trusts it.
With nfs4 + kerberos, this problem doesn't exist. Users are properly
authenticated
Anders
--
Madness takes its toll
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |