From owner-freebsd-security Fri Nov 15 15:45:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA27747 for security-outgoing; Fri, 15 Nov 1996 15:45:44 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA27742 for ; Fri, 15 Nov 1996 15:45:41 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id SAA29894; Fri, 15 Nov 1996 18:42:49 -0500 From: Adam Shostack Message-Id: <199611152342.SAA29894@homeport.org> Subject: Re: NFS Server, is it secure? In-Reply-To: <199611151516.SAA07972@pluscom.cronyx.ru> from Dmitry Morozovsky at "Nov 15, 96 06:16:53 pm" To: marck@pluscom.cronyx.ru (Dmitry Morozovsky) Date: Fri, 15 Nov 1996 18:42:49 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dmitry Morozovsky wrote: | Mark Newton wrote: | > Well, yes -- NFS is basically never "secure" on any platform. The | > NFS protocol was never designed with security in mind. | | > If you know (or can guess) the NFS filehandle for an NFS filesystem | > root then you can spoof the protocol for a start. | | > Firewall your NFS server: Its services should not be reachable from | > the Internet-at-large. | | Is NFS server with no exports with write permissions vulnerable too? It depends if you're keeping confidential information on the server. But if you're going to export it read only, might as well put it on the web. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume