Xref: utzoo comp.os.os2.misc:508 comp.os.os2.apps:72 alt.sys.sun:2406 comp.protocols.nfs:1645
Path: utzoo!utgpu!cs.utexas.edu!uunet!bywater!arnor!news
From: yozzo@ibm.com
Newsgroups: comp.os.os2.misc,comp.os.os2.apps,alt.sys.sun,comp.protocols.nfs
Subject: RE: TCP/IP & NFS Client for OS/2 systems; what's out there?
Message-ID: <1990Dec31.144240.13689@arnor.uucp>
Date: 31 Dec 90 14:42:40 GMT
Sender: news@arnor.uucp (NNTP News Poster)
Organization: IBM T.J. Watson Research Center
Lines: 27

This problem  exists in any LAN where the users
have the root password for there own machine.

I do not know about your environment but a lot of
environments that I have seen, the users have there own workstation
and they have the root password on their workstation.
Given this, they can 'su' to any user they wish and
therefore can spoof NFS.

One way to limit access is to only export to machines that you
trust.


Regarding the mounting being limited to reserved ports,
It is not the case that every NFS server checks that
the Mount request is coming from a reserved port.

Another problem with AUTH_UNIX is when users have different
UID's and GID's on different machines.
Again this lead to NFS spoofing.

All these cases deal with Unix spoofing.

Basically, AUTH_UNIX is not secure.
If you want real security, you should not
be using AUTH_UNIX NFS.
Ralph Yozzo