Anders Johansson wrote:
On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
remote nfs root
access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one allowed to write to the share. As soon as you have a user with write permissions, a client can fake that user ID, because the server trusts it.
Yes, I saw your response to the other guy after I'd already responded - I was talking about remote root access, which is disabled with the root_squash setting, but it is true that root on the remote machine can become any other user, which is a real problem unless you control the root account on the machines you trust. In the type of environment lynn was talking about, I don't imagine it would be a problem to control the root account though.
With nfs4 + kerberos, this problem doesn't exist. Users are properly authenticated
Hopefully that or something like it will become the standard nfs setup. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org