Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!elroy!david From: david@elroy.Jpl.Nasa.Gov (David Robinson) Newsgroups: comp.protocols.tcp-ip Subject: Re: Ethernet Bridge (really: NFS "security") Message-ID: <4797@elroy.Jpl.Nasa.Gov> Date: Sun, 8-Nov-87 00:51:37 EST Article-I.D.: elroy.4797 Posted: Sun Nov 8 00:51:37 1987 Date-Received: Tue, 10-Nov-87 01:02:02 EST References: <8711062349.AA04106@ucbvax.Berkeley.EDU> <1761@bloom-beacon.MIT.EDU> Organization: Image Analysis Systems Grp, JPL Lines: 49 In article <1761@bloom-beacon.MIT.EDU>, wesommer@athena.mit.edu (William Sommerfeld) writes: > In article <8711062349.AA04106@ucbvax.Berkeley.EDU> snorthc@NSWC-OAS.ARPA writes: > >OK, I'll bite. We have been looking at NFS as a UNIX/VMS server solution > >for PCs. From the begining of the investigation we were looking for > >things like the 'huge security holes'. > > Huge security holes is correct. [I won't even talk about vulnerability > to malformed packets] > ... > There is a minor complication, which is that to do anything > meaningful, you need to know a "file handle" for a directory on one > filesystem. Once you have the file handle, you can do anything you > want to the file system, because you can claim an arbitrary user-id in > the packet, and the server will trust you. > ... [More discussion of the file handle contents] It is very true that NFS is not very secure and it is doubtful that it ever will be VERY secure. As with most network protocols, someone with a little patience and a packet monitor can figure out the protocol. The best way to fight this is to have packet data that is not easy to spoof or even figure out. Using various encryption methods such as public/private key or DES etc helps. Your point about the file handle points out a current weak spot that does not have to exist. The file handle is created on the server and only it is required to know the contents. The client just blindly passes it back whenever it wants that file. You have described quite well the portable NFS file handle for Unix, but on machines such as VMS this doesn't hold, it's file handle is completely different and possibly somewhat strange. The server does not have to use a simple method such as placing the inode in the in the file handle, it could encrypt the inode number with DES first for example. In general to make a protocol such as NFS truly portable and easy to use you must make some sacrifices in security. It is possible to spoof RFS or DECNET but it is more difficult because the protocol is much tighter. But NFS has a lot of room to grow and I do forsee improvement. -David Robinson -- David Robinson elroy!david@csvax.caltech.edu ARPA david@elroy.jpl.nasa.gov ames!elroy!david UUCP Disclaimer: No one listens to me anyway!