From owner-freebsd-security  Fri Nov 15 15:45:44 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA27747
          for security-outgoing; Fri, 15 Nov 1996 15:45:44 -0800 (PST)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA27742
          for <freebsd-security@freebsd.org>; Fri, 15 Nov 1996 15:45:41 -0800 (PST)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id SAA29894; Fri, 15 Nov 1996 18:42:49 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199611152342.SAA29894@homeport.org>
Subject: Re: NFS Server, is it secure?
In-Reply-To: <199611151516.SAA07972@pluscom.cronyx.ru> from Dmitry Morozovsky at "Nov 15, 96 06:16:53 pm"
To: marck@pluscom.cronyx.ru (Dmitry Morozovsky)
Date: Fri, 15 Nov 1996 18:42:49 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Dmitry Morozovsky wrote:
| Mark Newton wrote:
| > Well, yes -- NFS is basically never "secure" on any platform.  The
| > NFS protocol was never designed with security in mind.
| 
| > If you know (or can guess) the NFS filehandle for an NFS filesystem
| > root then you can spoof the protocol for a start.  
| 
| > Firewall your NFS server:  Its services should not be reachable from
| > the Internet-at-large.
| 
| Is NFS server with no exports with write permissions vulnerable too?

	It depends if you're keeping confidential information on the
server.  But if you're going to export it read only, might as well put
it on the web.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume