On Tuesday 24 August 2010 09:00:28 Yaron wrote: > On Tue, 24 Aug 2010, James wrote: > > I have read articles that states that NFS is insecure but those > > articles are many years old. Is it still insecure? > > Well, it's not like it's encrypted or anything. Or password protected. > > Then again, not like you're going to be running it across the open > internet, right? It's usually something that gets run in trusted > environments. > > -Yaron NFS has a couple of issues that conspire to get it called insecure. The first is it's a plain text protocol. So your data is going over the wire in plain text. This may or may not be an issue depending on your organization. The second has to do with authorization and authentication, as well as file permissions. In NFSv2 and v3 you can restrict access to shares on the server by netblock, but that's about it. If someone wants a file to be private they can be tempted to chmod it 600, but the server trusts the UID of the client, so someone else wanting to read the file can simply create that UID on their client, mount up the share and then access the file. But umasks conspire to make it difficult to use as a group access systems as well. Say for example you have all of the accountants in a group called accountant. In order to share a directory with them all with NFS you have to create files owned user:accountant perms 660...and that's fine until they go to create a file in another directory, either on the NFS server or locally. NFSv4 has changed the game, but that's not very widely deployed yet, and usually if someone says "NFS" they are talking about v3 or v2. If they are intending to talk about v4 they will say NFSv4. http://www.iaps.com/NFSv4-new-features.html Is decent reading and will show how a lot of what I've said simply doesn't apply to NFSv4, and how it may be a suitable choice for you, if NFSv3 isn't. -- Thanks, Josh Paetzel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100824/f8bbc85d/attachment.pgp