On Wed, Apr 06, 2005 at 12:22:26AM +1000, Jeff Waugh wrote:
> You can't talk to an NFS server set up like that with any non-root program
> in a safe and sensible manner. You can, however, set up the server to accept
> connections from unsafe ports. This is pretty reasonable if it's a read-only
> share, or you're in a trustable environment... but it's completely unsafe in
> most circumstances. :-)
Using a "trusted" port as a measure of security is unsafe under almost every
circumstance. In effect you are trusting the physical security of the subnet
plus every machine on that subnet.
Suppose someone clips a laptop (or palm pilot, or wristwatch) to a spare
ethernet outlet or jumps onto your wavelan... suddenly they have acess to
a "trusted" port (and a "trusted" ip too).
> Just add "insecure" to the nfs options list on the server.
If only there was a "secure" option... *sigh*
- Tel ( http://bespoke.homelinux.net )
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
