[vpn] Re: vpn nfs (fwd)

Kurt Seifried bugtraq at seifried.org
Mon Oct 22 18:26:55 EDT 2001


> Thankyou for your response(s)
> let me clarify the situation:
>
> In our network we have several hundred unix boxes all connected to our nfs
> server. These boxes are ours of course, only the sysadmins are root. No
> box is behind a firewall or in a vpn, all have a publicly assigned ip.
> Being a university, we have assistants, professors and doctorates who
> bring in their own laptops and need a net connection. Now I'm sure you
> know the dangers there are when someone has root on a box and can connect
> to our nfs server...enough said there. The further dangers of having root
> on our network which doesnt belong to us dont even need to be mentioned.

Uhmm no. Using root_squash I'm not really aware of the danger of root
connecting to your NFS server. As for users choosing arbitrary names, well
they can also choose arbitrary IP's assuming your infrastructure isn't
tightly locked down (which fromt he sounds of it it isn't). You may want to
purchase the O'Reilly NIS/NFS book, it's quite good. Have you considered
using the more advanced authentication available in NFS rather then the
IP/user?

Or to put it bluntly, if you are worried about security why are you using
NFS?

> Is this somehow possible or is there a more simple method for people with
> their own notebooks in our network ?

Yup. See above.

> greets
> AlanCB

Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list