[vpn] Re: vpn nfs (fwd)

Kurt Seifried bugtraq at seifried.org
Mon Oct 22 17:31:36 EDT 2001


> > My problem:
> > The users should have r+w perms on their own directories only, and
> > r only on the software dir. Instead of setting multiple permissions
> > on the NFS server, which is basically impossible, I need a way of
> > setting permissions on my vpn gateway. With your experience, is
> > there a tool or method you know of which enables this ? A blunt
> > question, I know, however I'd much appreciate your help.

What makes them less impossible to implement on the gateway? Let's assume
for a minute that an NFS proxy exists that will let you enforce permissions.
Several problems come to mind:

1) anyone circumventing the VPN (i.e. coming from inside) will be able to
run wild through the NFS server. oops.
2) obsfuscation attacks, encoding of data, using things like cd
"/././././././../foo/bar/../etc/" etc etc. HTTP is hard enough to monitor
and I don't imagine NFS is any easier
3) encryption of nfs services/login. awwww crap.
4) integrating authentication systems/etc.

Perhaps you should consider a different file sharing protocol/system then
NFS if permissions are that much of an issue. CODA/AFS/SMB/Novell/etc come
to mind.

To draw a parallel: Every Microsoft person I know says you should set your
directory share permissions to everyone:full control and use NTFS
permissions to enforce access.


Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/





VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list