Samba and NFS need some explanations.

Gordon Messmer yinyang at eburg.com
Tue Apr 11 18:53:59 UTC 2006


Zane C.B. wrote:
> On Tue, 11 Apr 2006 13:08:10 -0500
> Les Mikesell <lesmikesell at gmail.com> wrote:
> 
>> Note in particular that anyone who has root access on a client
>> (or can boot a knoppix CD) can pretend to be anyone else in
>> regard to the NFS server file permissions.
> 
> Yup, which is why you only want to use it in secure environments. It is
> great for sharing stuff between servers. You can tell the NFS server to
> remap root, but this largely useless though.

Usually, they're called "trusted" environments, which is different from 
a "secure" environment.  In a traditional NFS environment, you must 
trust each workstation to which you export a filesystem, and to some 
extent, you probably need to trust the users, too.

NFSv4 has made advances in that area, utilizing RPCSEC_GSS to provide 
security in hostile environments (See chapter 11):
http://www.nluug.nl/events/sane2000/papers/pawlowski.pdf

Less technical discussion here:
http://blogs.sun.com/roller/page/erickustarz?entry=nfsmapid_domain

Some interesting Linux-specific configuration documentation here:
http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html




More information about the users mailing list