--- "D. Hageman" [email protected] wrote:
You could easily use any of the following to achieve your goal:
NFS Samba OpenAFS
Each has its pros and cons.
That was kind of my point in asking. Although I really hadn't given NFS serious thought. Last I remember NFS was a rootkit waiting to happen.
I'm looking for something that is somewhat transparent, easy to manage, doesn't need babysitting, has the *nix approach to security. I'm not looking for a CVS. That is another beast entirely. I'm looking for something where, after cheking out the code I can store it on a machine dedicated to apache/<db of choice> so my desktop system doesn't need them running, and modify the code from my desktop and test the changes as I go. Then when I'm happy with it check it back into CVS. In the process my desktop never runs the code, never saves the code (except in cache memory) and never runs the CVS depository.
Thanks for the input people, Brian D.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Friday 29 April 2005 1:53 pm, Jack wrote:
--- "D. Hageman" [email protected] wrote:
You could easily use any of the following to achieve your goal:
NFS Samba OpenAFS
Each has its pros and cons.
That was kind of my point in asking. Although I really hadn't given NFS serious thought. Last I remember NFS was a rootkit waiting to happen.
While nfs not the solution you needed for your setup. I have nfs in many locations, never had any security problems. Its not the best remote filesystem (defaults to udp among other things), but certainly quieter than using smb/cifs on the network.
-Bill
On Friday 29 April 2005 14:03, Bill Cavalieri wrote:
While nfs not the solution you needed for your setup. I have nfs in many locations, never had any security problems. Its not the best remote filesystem (defaults to udp among other things), but certainly quieter than using smb/cifs on the network.
I chose NFS for those locations because it was the simplest to implement and ensured that no unexpected permissions issues would be introduced by having the added Windows compatibility that we didn't need for those servers -- not for bandwidth reasons. NFS is much larger than SMB/CIFS because every single IO request made by an application is passed over the network verbatim to the destination server where it is interpreted as being made by a local application. Literally, every single request that any app might make of a file system goes over the wire without modification.
NFS is extremely insecure but still usable in places where security requirements are very low. There is a non-standard version of NFS out there that supports public key authentication and encryption however, as far as I know, it's not available in Vanilla distro installations. NFS is vulnerable in three big ways:
* no authentication * everything is sent over the wire with absolutely no encryption * where the server is configured to only allow root clients from certain 'trusted' IP addresses, a simple ARP poison will allow root access to that share from anywhere on the network
--- Jason Clinton [email protected] wrote:
On Friday 29 April 2005 14:03, Bill Cavalieri wrote:
While nfs not the solution you needed for your
setup. I have nfs in many
locations, never had any security problems. Its
not the best remote
filesystem (defaults to udp among other things),
but certainly quieter than
using smb/cifs on the network.
I chose NFS for those locations because it was the simplest to implement and ensured that no unexpected permissions issues would be introduced by having ... NFS is extremely insecure but still usable in places where security requirements are very low. ... NFS is vulnerable in three big ways:
- no authentication
- everything is sent over the wire with absolutely
no encryption
- where the server is configured to only allow root
clients from certain 'trusted' IP addresses, a simple ARP poison will allow root access to that share from anywhere on the network
That is my concern. While the system is going to be internal and I will add host based firewalling (thanks for the suggestion D.) and everything is behind a firewall, the data on some of the boxes will or may be sensitive and belongs ultimately to my customers. While I keep the truly most sensitive information locked up, I take security seriously. What my customers do with it after it leaves my systems is their perogotive, but I won't expose them anymore than I have to. It may be a paranoid approach, but I feel it is the responsible approach.
Brian D.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-
Bill Cavalieri -
Jack -
Jason Clinton