On Tuesday 04 October 2005 05:37 pm, Ron Hunter-Duvar wrote: > > > Unless you absolutely need it (e.g. have to connect to a Solaris box > > > that doesn't run samba), disable every service that mentions NFS, > > > because NFS has designed-in (i.e. unfixable) security holes big enough > > > to drive a transport truck through, not to mention being unreliable > > > (their own documentation says to not send any file bigger than 10MB via > > > NFS, as it may be corrupted in transit!). Basically it's an obsolete, > > > broken, piece of garbage. It shouldn't even be installed. > > > > What should we newbies with network problems do? Uninstall NFS entirely > > and use Samba for Linux only computers?
If you think that security for NFS is the reason not to use it, I hardly see Samba as being a better alternative. Samba, for better or worse, is simply an open source implementation of SMB networking which was done by Microsoft, not exactly a sterling source of secure initiatives. Some of the security problems with NFS relate to implementation, including the fact that it is routinely run via inetd, which is well known to have particular security issues related to it. Samba, which is usually implemented via a well-known port and by default has browsing enabled, would not compare any better to the most insecure implementation of NFS. These are all things that can be worked around, however, to produce a fairly secure instance of NFS. For the record, NFS shares can be exported to specific IP addresses or ranges to prevent unauthorized access. If you do this behind a firewall, with NAT enabled and using non-routeable addresses, the NFS share is pretty much not accessible to anyone who hasn't already penetrated the machine in question, not exactly a huge security concern. About the only thing that I can think of off-hand is the fact that file permissions are carried over without specifically matching back to the originating source. However, you can disallow root access to these files which prevents someone from pushing a file with higher permissions than they should have, however, in the case of file transfers, there must be some level of trust between the transferees anyway. I routinely use NFS to send files larger than 10MB without incident. In fact, I have used NFS as a backup mechanism to allow me to perform entire system backups without any problem. > There may be other options I'm not aware of either. Knowing the linux > community, there are probably several. I wouldn't personally recommend Samba over NFS, myself. At least not for file transfers between Linux systems. In fact, if Windows computers are not involved at all, I would actually submit that installing Samba at all is an unnecessary security risk.
____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________
