Re: NFS NIS and security

From: Juha Laiho (Juha.Laiho@iki.fi)
Date: 05/24/02


From: Juha Laiho <Juha.Laiho@iki.fi>
Date: Fri, 24 May 2002 19:07:01 GMT

Ramamurthy Badrinath <Ramamurthy.Badrinath@irisa.fr> said:
>I have a unix file server and wish to export some directories to a
>client, sharing the NIS domain qith thw server.

Ok.

>It seems that a superuser on the client machine can su to an arbitrary
>NIS account, without providing password. So the root on the client has
>access to all the directories exported from the server to this client.

Correct.

>Isn't this a security risk, if I have no control over the superuser on
>the client?

It is. NFS and NIS are intended for use only in scenarios where the root
account on all the machines is controlled by the same person/group. If
a local user at a NFS client has root access, much of the security is
lost. Also, depending on the setup, NFS client can be compromised by
having root account on the NFS server (when only having a non-root
account on the client).

>Is there a way around this?

Not with NFS. There are filesystems that address these problems (among
others), but they're not in widespread use. If you truly need these,
read up on AFS and DFS.

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)



Relevant Pages

  • Errors writing large files via NFS
    ... files larger than a certain size to a NFS server. ... client systems, although the definition of "too large" varies. ... network paths involved, I'm pretty sure we're not seeing a network problem. ...
    (Tru64-UNIX-Managers)
  • Re: Still getting NFS client locking up
    ... > the same NFS lockups. ... > Reading from the server works perfectly all the time. ... > NFS CLIENT: ... in particular, look at traces for any client blocked in NFS, ...
    (freebsd-current)
  • Re: Bugs in mkfs.xfs, device mapper, xfs, and /dev/ram
    ... it gets the first ENOSPC error back from the server at around 1.5GB ... the data that gets ENOSPC errors is ... I'm no great expert but isn't this a design flaw in NFS? ... corruption because the NFS client thinks it has written the data ...
    (Linux-Kernel)
  • Re: [OT] Real time systems, was: Re: What is the draw of VMS?
    ... your nfs clients are going to hang. ... You can tell NFS to do soft mounts, if you find this acceptable, but the cost is data corruption. ... probing the server and running the highest level available. ... My client programs gets stuck until the server is back. ...
    (comp.os.vms)
  • Re: Problems mounting nfs from freebsd to Mac.
    ... Problems mounting nfs from freebsd to Mac. ... I've got an nfs server that's refusing to mount one client - via one ... That elimintes NFS on the client, and -most- of the NFS config on the ...
    (freebsd-questions)