Re: [Dorset] SMB or NFS
Hi Keith On 21/08/10 22:44, Keith Edmunds wrote: On Sat, 21 Aug 2010 22:24:15 +0100, t...@ls83.eclipse.co.uk said: The ability of a user on a client with root access being able to gain access to other users' files on an NFS server seemed like a fundamental problem when I was making this same decision. With SMB you have got much better security. Such a user only has access to other files if the exported filesystem is mounted no_root_squash (which isn't the default). I've not used NFS in anger, so am not speaking from experience, but my understanding is that on a client a user with _local_ root access can simply: #su - user then gain access to that user's files on a server (assume UID's and GID's match) - and root_squash does not help at all. See: http://tldp.org/HOWTO/NFS-HOWTO/security.html section 6.2 Cheers Tim -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] SMB or NFS
A correction to my last post: if you were using a network filesystem with remote authentication - for example, Samba/CIFS - it would be possible to prevent the local user with root access from accessing others' files on the server. -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] SMB or NFS
On 22/08/10 19:50, Keith Edmunds wrote: A correction to my last post: if you were using a network filesystem with remote authentication - for example, Samba/CIFS - it would be possible to prevent the local user with root access from accessing others' files on the server. That was my point. It seems anyone could plug a computer to which they have root access (eg a notebook brought in from home) into a network and with knowledge of UID's and GID's with NFS shares on a server they have full access to those. So I can't see how NFS can be used where any level of privacy or security is required. Tim -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] SMB or NFS
On 22/08/10 22:10, Ralph Corderoy wrote: Hi Tim, That was my point. It seems anyone could plug a computer to which they have root access (eg a notebook brought in from home) into a network and with knowledge of UID's and GID's with NFS shares on a server they have full access to those. If the server was willing to export to their IP address, then I think you're right. Or if they could turn off a machine that was exported to, and then use its IP address... Any decent sysadmin would know the security risks and know how to prevent root access. Allowing an authorised PC to connect is a cause for concern on any network. DHCP config and arpwatch should ensure all laptops are known/monitored. If an unknown laptop is not immediately flagged up, your security is already pants whether CIFs or NFS. John. -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] SMB or NFS
Hi John, If the server was willing to export to their IP address, then I think you're right. Or if they could turn off a machine that was exported to, and then use its IP address... Any decent sysadmin would know the security risks and know how to prevent root access. Allowing an authorised PC to connect is a cause for concern on any network. DHCP config and arpwatch should ensure all laptops are known/monitored. If an unknown laptop is not immediately flagged up, your security is already pants whether CIFs or NFS. The situation I was describing was so long ago as to be pre-DHCP. X terminals got an IP address from BOOTP IIRC, workstations were manually configured with a static one. But presumably a laptop could be plugged into the network, not send anything, listen to broadcast ARP requests to learn existing MAC/IP addresses, and then try and step in as one of the broadcasters. Anyway, I expect NFS host authentication for mounting has moved on from being just IP address now, or at least optionally. Cheers, Ralph. -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] SMB or NFS
On Sat, 21 Aug 2010 22:24:15 +0100, t...@ls83.eclipse.co.uk said: The ability of a user on a client with root access being able to gain access to other users' files on an NFS server seemed like a fundamental problem when I was making this same decision. With SMB you have got much better security. Such a user only has access to other files if the exported filesystem is mounted no_root_squash (which isn't the default). I do agree that security and access control can be managed far better with CIFS *if* it is set up correctly, which - in my experience - it seldom is. Non-scientific tests that I've done also show that CIFS is significantly faster than NFSv3. -- Next meeting: Blandford Forum, Tuesday 2010-09-07 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.orgchannel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset