Re: NFS, how to make it secure (spoofing etc)

From: DLA (dougga@attbi.com)
Date: 06/28/02


From: DLA <dougga@attbi.com>
Date: Fri, 28 Jun 2002 21:01:49 GMT

I'm very interested in this thread

I'm curious as to what people think about the performance and ease of
integration of the other secure products listes above.

Namely, what is the performance hits associated with these products? Can
you run databases applications and the like over mounted volumes using
these tools? How easy are these to install and manage for larte client
bases?
                Performance Ease of Install Enterprise Ready DB Compatible
InterMezzo...
FS..........
CODA........
AFS.........
Open AFS....

Much thanks for any info on the above!

~Doug

On Thu, 27 Jun 2002 08:47:18 -0700, Tim Haynes wrote:

> Reiner Griess <mynewnews@gmx.net> writes:
>
>> I'm asking myself what the best way is to secure a nfs server.
>
> Don't ask us, we'll say the best way is to turn it off.
>
>> The NFS howto has not helped so far. As you know it is easy to get
>> access to nfs shares, if the nfs client user has root access on the
>> client machine (first spoof ip adress, then add the users and groups
>> needed to access nfs shares on the server).
>
> You could solve half the problem with a) mapping all uids/gids to a
> fixed low-priv user on the server b) keeping all daemons uptodate
> (witness portmapper)
>
> but you've still got fundamental problems of plaintext and stuff.
>
>> Are there more secure alternatives to nfs?
>
> I understand there's SFS. Investigate that instead.
>
> ~Tim



Relevant Pages