Mailinglist Archive: opensuse (3156 mails)
| < Previous | Next > |
Re: [opensuse] Re: NFS sync vs. async mounts
- From: Joe Sloan <joe@xxxxxxxxxx>
- Date: Sun, 23 Dec 2007 10:38:26 -0800
- Message-id: <476EAB22.8040503@xxxxxxxxxx>
Anders Johansson wrote:
Yes, I saw your response to the other guy after I'd already responded -
I was talking about remote root access, which is disabled with the
root_squash setting, but it is true that root on the remote machine can
become any other user, which is a real problem unless you control the
root account on the machines you trust.
In the type of environment lynn was talking about, I don't imagine it
would be a problem to control the root account though.
Hopefully that or something like it will become the standard nfs setup.
Joe
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
remote nfs root
access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one
allowed to write to the share. As soon as you have a user with write
permissions, a client can fake that user ID, because the server trusts it.
Yes, I saw your response to the other guy after I'd already responded -
I was talking about remote root access, which is disabled with the
root_squash setting, but it is true that root on the remote machine can
become any other user, which is a real problem unless you control the
root account on the machines you trust.
In the type of environment lynn was talking about, I don't imagine it
would be a problem to control the root account though.
With nfs4 + kerberos, this problem doesn't exist. Users are properly
authenticated
Hopefully that or something like it will become the standard nfs setup.
Joe
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |