On Thu, 12 Apr 2001, Neill Newman wrote:
David Freeman wrote:
--- Neill Newman neill@entora.co.uk wrote:
most secure method is definatly not NFS !! use samba instead...
Yeah but the network is firewalled so it is not a problem, most big ISP's use NFS for serving webpages from NetApp's and big Sun's (trust me on this). I would also argue you are completly wrong about using Samba instead.
I am deadly serious.. NFS assumes that the client is responsible for the authentication, and therefore anybody who has root access on a linux box can 'become' another use, and mount their files, not very secure!!!...
Aah there are some very simple ways of spoofing with the M$ protocols, I know which one I would choose, also it you look at the man pages for nfs you can see it is very easy enable some fairly strong access controls.
Samba, although used by MS, was designed with the authentication stage in the server, thus getting around this problem.. Between NFS and SMB, SMB is more secure (not to mention faster!)...
SMB faster than NFS?!?! I really don't think so. Also the way passwords get chucked around the network with SMB is dangerously insecure as If you grab a copy of L0phtcrack and a packet sniffer you can get them dead easily, or if you are on a switched network you can easily craft a message to exploit SMB. SMB doesn't support real host access controls which NFS does, this makes a big difference in real security.
There are some other network filessystems (such as Coda) which may be better than SMB, but I don't really know much about them...
Coda is a really good idea, just not quite there yet most of the people I know who have used it have reported the same as me and that it breaks severely at random.
Adam