[vpn] Re: vpn nfs (fwd)

Kurt Seifried bugtraq at seifried.org
Mon Oct 22 17:31:36 EDT 2001

> > My problem:
> > The users should have r+w perms on their own directories only, and
> > r only on the software dir. Instead of setting multiple permissions
> > on the NFS server, which is basically impossible, I need a way of
> > setting permissions on my vpn gateway. With your experience, is
> > there a tool or method you know of which enables this ? A blunt
> > question, I know, however I'd much appreciate your help.

What makes them less impossible to implement on the gateway? Let's assume
for a minute that an NFS proxy exists that will let you enforce permissions.
Several problems come to mind:

1) anyone circumventing the VPN (i.e. coming from inside) will be able to
run wild through the NFS server. oops.
2) obsfuscation attacks, encoding of data, using things like cd
"/././././././../foo/bar/../etc/" etc etc. HTTP is hard enough to monitor
and I don't imagine NFS is any easier
3) encryption of nfs services/login. awwww crap.
4) integrating authentication systems/etc.

Perhaps you should consider a different file sharing protocol/system then
NFS if permissions are that much of an issue. CODA/AFS/SMB/Novell/etc come
to mind.

To draw a parallel: Every Microsoft person I know says you should set your
directory share permissions to everyone:full control and use NTFS
permissions to enforce access.

Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list