primm wrote:
nfs is good, it mostly just works. But v3 has drawbacks in security, so
if you're not in total control of the network, it might not be so good
nfsv4 + kerberos can provide real authentication and encryption though,
so you still don't have to abandon nfs
4 years ago it cost me two days work and a 300 Euro installation cost
from an engineer who also sold me the licences for my workstations. That
was w2000.
It was plagued by viruses and most of my hardware wan't recognised so I
had to fork out for new machines too. 5000 Euros later.
I'm now reading that Linux nfs which I installed by yast all by myself is
also a security risk.
It is a security risk in that it's not encrypted.
Another problem is that the nfs server in versions 3 and below fully trusts
the client about user IDs. It won't put viruses on your machines, but it
does mean that if you don't control the root account on all machines,
anyone can read any file, or write to any share.
What? So, I login as me. There is no way nfs will let me write to the folders
of other users.
Unless you have root access, and create a second username with the
same UID as a legitimate user.
Unless the other user has given me permission to do so.
Or you have root access and give yourself permssion to
do so.
This one reason (among many) why root passwords should NEVER
be given to non-admins -- even those who are competant enough
to not screw things up...are also competant enough to become
security threats in other ways.
> What
do you mean by 'control the root account on all machines'? No one else other
than me can login as root on any box on my network.
In many large companies, MANY people have the root
password, and they are changed frequently in case
any admin momentarily falls prey to the (sometimes
very great) temptation to just give a knowledgeable
and competant user the root password so he can "fix
the problem himself."
> Could you please tell me
if need to change my filesystem? What version of nfs do I have if I have
opensuse version 10.3? Yes. I know I can find out. But please don't tell me
where to stuff it.
You're perfectly secure. As long as you keep the
root password to yourself, or an employee whose ONLY
job is to be an admin, then the security weakness of
NFS doesn't apply to you. (As soon as you give an
admin additional responsibilities, there is a very
great temptation for the admin to configure the
system to his benefit at the expense of the other
employees, and therefore to you, the owner).
Lynn x
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
