On Friday 29 April 2005 14:03, Bill Cavalieri wrote:
While nfs not the solution you needed for your setup. I have nfs in many locations, never had any security problems. Its not the best remote filesystem (defaults to udp among other things), but certainly quieter than using smb/cifs on the network.
I chose NFS for those locations because it was the simplest to implement and ensured that no unexpected permissions issues would be introduced by having the added Windows compatibility that we didn't need for those servers -- not for bandwidth reasons. NFS is much larger than SMB/CIFS because every single IO request made by an application is passed over the network verbatim to the destination server where it is interpreted as being made by a local application. Literally, every single request that any app might make of a file system goes over the wire without modification.
NFS is extremely insecure but still usable in places where security requirements are very low. There is a non-standard version of NFS out there that supports public key authentication and encryption however, as far as I know, it's not available in Vanilla distro installations. NFS is vulnerable in three big ways:
* no authentication * everything is sent over the wire with absolutely no encryption * where the server is configured to only allow root clients from certain 'trusted' IP addresses, a simple ARP poison will allow root access to that share from anywhere on the network