On Sunday 23 December 2007 19:12:41 Joe Sloan wrote:
Anders Johansson wrote:
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts the client about user IDs. It won't put viruses on your machines, but it does mean that if you don't control the root account on all machines, anyone can read any file, or write to any share.
Nah, if you use root_squash that isn't going to happen. remote nfs root access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one allowed to write to the share. As soon as you have a user with write permissions, a client can fake that user ID, because the server trusts it. With nfs4 + kerberos, this problem doesn't exist. Users are properly authenticated Anders -- Madness takes its toll -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org