Re: Is there any encrypted or secure NFS?

To: debian-user@lists.debian.org
Subject: Re: Is there any encrypted or secure NFS?
From: Mark Roach <mrroach@okmaybe.com>
Date: Mon, 05 Jan 2004 23:04:09 -0500
Message-id: <[🔎] 1073361849.17136.139.camel@flmrroach.okmaybe.com>
In-reply-to: <[🔎] Pine.LNX.3.96.1040105183559.21176A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] Pine.LNX.3.96.1040105183559.21176A-100000@Maggie.Linux-Consulting.com>

On Mon, 2004-01-05 at 21:48, Alvin Oga wrote:
> On Mon, 5 Jan 2004, Brett Carrington wrote:
> 
> > On Mon, Jan 05, 2004 at 09:14:27PM -0500, Mark Roach wrote:
> > > > This might be encrypted, but hardly secure, for instance if user A has 
> > > > physical access to NFS client
> > > > and user B has physical access to nfs client, what prevents user A from 
> > > > accessing user B's files through VPN?
> > > 
> > > File permissions.
> 
> wont help ...  the user has acces to their files on the other end

OK, I'm obviously missing something here. Here's what I'm hearing

NFS Server ----------- NFS Client (Home of User A and User B)

The server is exporting /home which includes /home/userA and
/home/userB. File permissions are set to 700 (or 770 with appropriate
groups) on both home directories.

The client has mounted the server's /home as /mnt/remote_homes

User A wants to access user B's files that are under
/mnt/remote_homes/userB. How are you suggesting that this is going to be
possible? 

Note: if you tell me that he is going to boot off a knoppix CD and crack
root on the box to su to userB, you must give me at least one example of
an alternative that is not susceptible to an attack by a malicious local
root

> > Even so, you'd have this problem with or without an IPSec VPN. The VPN's
> > job, in this case, is lower-layer encryption. File systems on your
> > host/NFS Client are out of the spectrum of what a VPN can do. A VPN is
> > only going to protect your data from snoopers of NFS packets.
> 
> "maybe"

[snip random security stuffs]
> - allowing nfs just makes all the snooping easier ...
> 	too many old holes - that may or may not be patched
> 
> 	nfs --> "Not For Security"
> 
> 	setting up and properly running a "secure nfs" is a whole other
> 	ballgame

NFS definitely is not the right tool for every situation. There are some
situations though, where it _is_ a good tool, and additional
circumstances where the addition of IPSEC makes it a reasonable option
when it otherwise wouldn't have been.
-- 
Mark Roach

Reply to:

Follow-Ups:
- Re: Is there any encrypted or secure NFS?
  - From: "Paul Smith" <pausmith@nortelnetworks.com>
- Re: Is there any encrypted or secure NFS?
  - From: Rohit Kumar Mehta <rohitm@engr.uconn.edu>

References:
- Re: Is there any encrypted or secure NFS?
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Re: unable to login; pam broken?
Next by Date: ISO9660 file naming (limits)
Previous by thread: Re: Is there any encrypted or secure NFS?
Next by thread: Re: Is there any encrypted or secure NFS?
Index(es):
- Date
- Thread