On Sunday 23 December 2007 19:12:41 Joe Sloan wrote: > Anders Johansson wrote: > > It is a security risk in that it's not encrypted. > > > > Another problem is that the nfs server in versions 3 and below fully > > trusts the client about user IDs. It won't put viruses on your machines, > > but it does mean that if you don't control the root account on all > > machines, anyone can read any file, or write to any share. > > Nah, if you use root_squash that isn't going to happen. remote nfs root > access gets mapped to nobody, with limited rights and privileges.
I already responded to that, but ok: it only helps if root is the only one allowed to write to the share. As soon as you have a user with write permissions, a client can fake that user ID, because the server trusts it. With nfs4 + kerberos, this problem doesn't exist. Users are properly authenticated Anders -- Madness takes its toll -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
