[Tfug] pcnfsd(8) privilege reduction

Bexley Hall bexley401 at yahoo.com
Wed Jan 9 03:24:37 MST 2013 

Hi John,

On 1/9/2013 2:53 AM, John Gruenenfelder wrote:
> On Wed, Jan 9, 2013 at 2:27 AM, Bexley Hall<bexley401 at yahoo.com>  wrote:
>> [Yes, NFS is a dog -- and a security risk.  As is CIFS.  But, the
>> machines in question are isolated from all potential threat sources]
>
> Don,
>
> Quite true... but the nice thing about NFS is that, in general, "it
> just works".  Especially amongst homogeneous (or nearly so) UNIX
> machines.  And when used on an internal network where nfsd and the
> router are configured to not allow any connections from outside, most
> of the security issues are sufficiently dealt with.

I opted to avoid CIFS because it wouldn't handle *all* of my sharing
needs.  I.e., if I will have to support NFS for certain applications,
having to *also* support CIFS just seemed like extra work.  I am
hoping that "picking" NFS over CIFS pays off in reduced support
effort.

In the past, sharing a file between a UN*X host and Windows host
often required *copying* the file between the two hosts (since
the alternative would have been installing SMB support on *all*
the UN*X hosts... just to accommodate MS!).

But, copying isn't sharing!  E.g., making a change to one copy
doesn't ensure that everyone sees that change!  I would have to
discipline myself to copying the changed file *back* and keeping
track of where the "latest working copy" resided.  PITA.

> The main reason I make use of it is because NFS integrates more or
> less seamlessly with the UNIX file system tree.  At work, when we had
> three machines running and each had a significant amount of storage,
> we made very heavy use of NFS which was in many cases transparent to
> the users.

Understood.  I want it for PXE booting diskless clients and mounting
a shared (R/O) filesystem (e.g., for the binaries).

> At this point, I believe I have all of my machines working on NFSv4
> via TCP, though I am not making any use of the GSSAPI security
> mechanisms.

I rely on a 6 ft air gap in my network fabric!  :>  I.e., if someone
breaks into the house *solely* to steal/corrupt my files, good luck
to them!  :>  As long as they don't take the 728 karat diamond I
have sitting on the kitchen counter...

--don

More information about the tfug mailing list