[Gllug] NFS NIS

Ian Northeast ian at house-from-hell.demon.co.uk
Fri Sep 28 21:44:10 UTC 2001


Ian Norton wrote:
> 
> Hi folks,
> 
> For about 8 months now i have had my little network here running, there
> have been a few annoyance issues with some services but mostly it did
> what i want,
> 
> the current setup is as follows,
> 
> I have a p133 with linux 2.4.0 running NIS, It also has 2 net cards
> (provision for uni, one is for my uni ethernet socket and other to go to
> my hub, running pretty tight iptables rules, bit of portforwarding, SNAT
> etc,yaddayadda)
> 
> i have exported /home with NFS, (shudder) at home this is not a problem
> at home. but for uni i would kind of like to be a hell of a lot more
> secure, (attending a university where one day i sat down and watched
> someone do some creative network hacking and get himself mounted to the
> staff nfs shares.)
> 
> i would like my three workstations to be able to SECURELY mount the home
> directory on the server as thier own /home or maybe /mnt/homes (thinking
> about it i use very different X setups on all the boxes)
> 
> one issue i have had with NFS and NIS is this,
> 
> i could walk in, plug in my laptop and elect for it to use ypbind, it
> binds to my nis domain, and finishes booting,
> 
> i then su, mount the /home on the laptop, (at current exports are for
> specific hosts only but ip spoofing is fairly simple)
> 
> then su to a user give by nis, bang, i can read/write the nfs share!
> (the person doing this could be anyone with root on thier own laptop)
> 
> ideas about restricting what can bind to nis would be appreciated. (or
> could i simply restrict timed?/portmap)
> 
> please tell me if i have missed the point of my message entirely :-)

Unfortunately securing NIS won't do it.

If someone spoofs an IP address which you have exported a filesystem to,
then they don't need access to your NIS maps to create users and groups
whose numbers match yours and gain access. And if you have exported with
no_root_squash, they don't even need to do that.

So you have to secure your NFS. And, if you believe that IPs will be
spoofed on the network (and you are probably right here, I would imagine
that a modern university would be full of hackers) this will be
difficult. You probably want to have distinct machines for firewall and
NFS server, with the NFS server and its clients all using private
addresses. Then nothing can get in unless you permit it. My network
looks like this.

Are you thinking of being able to plug your laptop in anywhere on the
University network and gain access to your NFS shares, without allowing
anyone else to do this? I don't think this can be done safely at all. If
you do want to do this, maybe NetBIOS would be a better bet - run Samba
on the server with security=user, then at least you have to supply a
password, which will be encrypted. It goes somewhat against the grain to
suggest this, but I can't think of any way of protecting NFS if you
assume that the IP can be spoofed. It doesn't use passwords. Any
opinions?

Regards, Ian

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list