>
> On Tue, Aug 24, 2010 at 8:53 AM, James <jucziz6 at gmail.com> wrote:
> I have read articles that states that NFS is insecure but those
> articles are many years old. Is it still insecure?
>

Pretty much.  NFSv4, if it ever arrives in the form of a full
implementation, could possibly be better.  NFSv4 pretty much solves all of
the caching/scaling issues inherent in NFS (theoretically a legitmate AFS
replacement) along with world hunger, etc... you get the idea.

The issue isn't the presence or absence of encryption within the filesystem
implementation, it is how NFS builds its trust models, which necessitates a
lot of extra engineering to lock down an NFS environment.  For example, any
sane NFS environment will be configured by default not trust that a
transaction against the file system initiated by root is really root.  If
the NFS server grants mounts to any machine on the network then root on any
machine can browse your file system and start cruising for setuid binaries
to target for trojans in hopes of getting a shell on a different host.  But,
eventually you'll need to perform operations on the filesystem or files as
root, which leads to having a few machines in the environment "root
trusted".

So you have a list of "trusted hosts" - but how is identity established for
the host?  It can be host names or ip addresses - both of which can be
spoofed easily enough.  So locking down your NFS environment implies a
secure way to manage identity of both users and hosts and other network
resources.  (Kerberos?)

It's when you start thinking about large-scale NFS implementations that some
of the benefits of Active Directory manifest.  And I think in point of fact
you can use LDAP + Kerberos to harden an NFS environment.  I've seen the
conversion to using ACLs in LDAP go less than smoothly.  I'm not totally
familiar with this dimension of NFS administration so I'd suggest doing some
research.

NFS has some other limitations too due to its design, like the fact the
"last close" problem has no solution on NFSv3.  NFSv4 may be able to handle
that.  I think NFSv4 has been "right around the corner" for close to a
decade now.  It's the Duke Nuke'em Forever of file systems. ;)

-Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100824/0e1260bb/attachment.htm