[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Problems with root on network clients

On Fri, Nov 24, 2000 at 01:08:14PM -0400, Brad Allen wrote:
> erbenson> NFS is insecure, deal with it.
> Such as use something besides NFS that is secure; the options are thin
> and immature, but you may still look around because I have a feeling
> there may be a good match, if you're willing to sacrafice admin time
> to the task.  For instance, I'm curious if CODA has played this trick.
> They talk about distribution, security, etc.  Plus, administration of
> local disk caches could become really easy with CODA -- 4GB disk
> cache, now that's nice; it's as if you only really have one machine in
> some administrative senses.  Now, somebody tell me if I'm wrong.
> There is a whole page of Linux filesystems besides EXT2 and NFS out
> there someplace.  Find it and take a good research if you have the
> time.

note that i don't fully understand how coda works, but the impression
i get is you need a very large ammount of LOCAL disk space to hold
coda's cache/offline storage.  this to me defeats the purpose of a
network filesystem in a large number of cases (i have several machines
with not much disk, and one with lots of space, thus i export /home)

coda is also very non-trivial to administer and maintain from what i
can see.  its just not designed with small setups in mind.  NFS is a
very simple and convenient network filesystem, it just lacks any
attempt at a security infrastructure.  

> Once you make yourself vulnerable to physical host takeover and make
> yourself secure from that, you have definitely got yourself a few
> rungs up.  Otherwise, another thing I can suggest is hide the floppies
> (I mean, take them out).  Floppies are a mess anyway, and we shouldn't
> need them.  This does not make it impossible to install a new floppy.
> You could scratch out the IDE leads to the floppy cable, and make the
> machine less valuable.

they can always plug in a new IDE disk which they can boot from, have
root, mount NFS...   they could also simply bring in a laptop, see
what IP address the desktop machine has, configure thier laptop with
it and switch the network cable from the desktop to the laptop taking
over the IP address.  all NFS cares about is the source IP, not very

Ethan Benson

Attachment: pgphB6l3tzeMv.pgp
Description: PGP signature

Reply to: