Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Samba vs NFS

from [Steve Barnet] Network Security [Permanent Link]
Subject: Re: Samba vs NFS
Date: Tue, 22 Feb 2005 11:39:21 -0600
Kyle Wheeler wrote: 
On Thursday, February 17 at 05:42 PM, quoth Jennifer Fountain:

Hi all:
My company is looking at samba or NFS to allow our clients to access
shares from their Windows workstations and their linux ssh sessions.
From a security standpoint, which option is "more" secure?  Which option
is more vulnerable than the other?  Etc, etc ,etc.  I appeciate any
security information about NFS or samba that you may have.


Something you should know... NFS doesn't use passwords. 

Passwords != security

NFS decided to skip the whole security thing. 

You mean, it uses a trust model with which you are not comfortable.

The way it works is that in the NFS server you specify what computers are allowed to use the server, and those servers have full access. 

No, they have access permissions as dictated by the file permissions
on the server and UID on the client. This opens the door for lots
of fun and games, but it does not imply "full access."

Whoever the clients say they are, the server will trust them, including root. 

This is only true if you tell the NFS server to map the root user
on the client to the root user on the server. Most default NFS server
installs these days will map the user root to nobody on the NFS
server. This, is far from perfect. However, it limits the damage root
can do explicitly. Of course, root can assume the credentials of any
user, so gaining root on a client can still cause large information
disclosure.

The idea is that it is the client operating system's responsibility to make sure that people are who they say they are. NFS trusts clients completely. Typical NFS installations have either very few clients, or the clients are all closely controlled by the administrator. 

It's also possible to use Kerberos with NFS to handle at least parts
of this problem. This is typically not done as a Kerberos
implementation can be a significant project in and of itself.

For simple file sharing with Windows machines, Samba is probably
the best choice as it involves as little work on the client systems
as possible. However, if you have root or admin access on the client
systems, then it is safe to assume that anything on the file server
will be accessible sooner or later anyway - regardless of any other
security systems which may be present.

Best,

---Steve

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Samba vs NFS, James Ko
Next by Date:  Re: Samba vs NFS, Gustavo A. Lozano
Previous by Thread:  Re: Samba vs NFS, Kyle Wheeler
Next by Thread:  Re: Samba vs NFS, Randy Williams
Indexes:  [Date] [Thread] [Top] [All Lists]