[tclug-list] NFS Insecure

Tue Aug 24 09:35:46 CDT 2010

On Tuesday 24 August 2010 09:00:28 Yaron wrote:
> On Tue, 24 Aug 2010, James wrote:
> > I have read articles that states that NFS is insecure but those
> > articles are many years old. Is it still insecure?
> 
> Well, it's not like it's encrypted or anything. Or password protected.
> 
> Then again, not like you're going to be running it across the open
> internet, right? It's usually something that gets run in trusted
> environments.
> 
> -Yaron

NFS has a couple of issues that conspire to get it called insecure.

The first is it's a plain text protocol.  So your data is going over the wire 
in plain text.  This may or may not be an issue depending on your 
organization.

The second has to do with authorization and authentication, as well as file 
permissions.  In NFSv2 and v3 you can restrict access to shares on the server 
by netblock, but that's about it.  If someone wants a file to be private they 
can be tempted to chmod it 600, but the server trusts the UID of the client, 
so someone else wanting to read the file can simply create that UID on their 
client, mount up the share and then access the file.  But umasks conspire to 
make it difficult to use as a group access systems as well.  Say for example 
you have all of the accountants in a group called accountant.  In order to 
share a directory with them all with NFS you have to create files owned 
user:accountant perms 660...and that's fine until they go to create a file in 
another directory, either on the NFS server or locally.

NFSv4 has changed the game, but that's not very widely deployed yet, and 
usually if someone says "NFS" they are talking about v3 or v2.  If they are 
intending to talk about v4 they will say NFSv4.

http://www.iaps.com/NFSv4-new-features.html

Is decent reading and will show how a lot of what I've said simply doesn't 
apply to NFSv4, and how it may be a suitable choice for you, if NFSv3 isn't.

-- 
Thanks,

Josh Paetzel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100824/f8bbc85d/attachment.pgp 