[Gllug] NFS NIS

Ian Norton bredroll at dsh.org.uk
Sun Sep 30 11:25:40 UTC 2001 

wow, another ian :-)

yes, the nfs will be among my private adress space, i was not planning to
export nfs around the uni, (i also have nfs set to dissalow root) for access
to files when im not in my room i was planning to use ssh/scp, dont mind it
being slower a little there, 

i suppose ill just have to quarentine my room from my 2600 friends :-)

bredroll

On Fri, Sep 28, 2001 at 10:44:10PM +0100, Ian Northeast wrote
> Ian Norton wrote:
> > 
> > Hi folks,
> > 
> > For about 8 months now i have had my little network here running, there
> > have been a few annoyance issues with some services but mostly it did
> > what i want,
> > 
> > the current setup is as follows,
> > 
> > I have a p133 with linux 2.4.0 running NIS, It also has 2 net cards
> > (provision for uni, one is for my uni ethernet socket and other to go to
> > my hub, running pretty tight iptables rules, bit of portforwarding, SNAT
> > etc,yaddayadda)
> > 
> > i have exported /home with NFS, (shudder) at home this is not a problem
> > at home. but for uni i would kind of like to be a hell of a lot more
> > secure, (attending a university where one day i sat down and watched
> > someone do some creative network hacking and get himself mounted to the
> > staff nfs shares.)
> > 
> > i would like my three workstations to be able to SECURELY mount the home
> > directory on the server as thier own /home or maybe /mnt/homes (thinking
> > about it i use very different X setups on all the boxes)
> > 
> > one issue i have had with NFS and NIS is this,
> > 
> > i could walk in, plug in my laptop and elect for it to use ypbind, it
> > binds to my nis domain, and finishes booting,
> > 
> > i then su, mount the /home on the laptop, (at current exports are for
> > specific hosts only but ip spoofing is fairly simple)
> > 
> > then su to a user give by nis, bang, i can read/write the nfs share!
> > (the person doing this could be anyone with root on thier own laptop)
> > 
> > ideas about restricting what can bind to nis would be appreciated. (or
> > could i simply restrict timed?/portmap)
> > 
> > please tell me if i have missed the point of my message entirely :-)
> 
> Unfortunately securing NIS won't do it.
> 
> If someone spoofs an IP address which you have exported a filesystem to,
> then they don't need access to your NIS maps to create users and groups
> whose numbers match yours and gain access. And if you have exported with
> no_root_squash, they don't even need to do that.
> 
> So you have to secure your NFS. And, if you believe that IPs will be
> spoofed on the network (and you are probably right here, I would imagine
> that a modern university would be full of hackers) this will be
> difficult. You probably want to have distinct machines for firewall and
> NFS server, with the NFS server and its clients all using private
> addresses. Then nothing can get in unless you permit it. My network
> looks like this.
> 
> Are you thinking of being able to plug your laptop in anywhere on the
> University network and gain access to your NFS shares, without allowing
> anyone else to do this? I don't think this can be done safely at all. If
> you do want to do this, maybe NetBIOS would be a better bet - run Samba
> on the server with security=user, then at least you have to supply a
> password, which will be encrypted. It goes somewhat against the grain to
> suggest this, but I can't think of any way of protecting NFS if you
> assume that the IP can be spoofed. It doesn't use passwords. Any
> opinions?
> 
> Regards, Ian
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list