Xref: utzoo comp.protocols.nfs:206 comp.sys.ibm.pc:29299 Path: utzoo!attcan!uunet!mcvax!kth!sunic!dkuug!daimi!poj From: poj@daimi.dk (Per Olsvig Jensen) Newsgroups: comp.protocols.nfs,comp.sys.ibm.pc Subject: PCNFS and security Message-ID: <2373@daimi.dk> Date: 25 May 89 10:46:58 GMT Sender: news@daimi.dk Reply-To: poj@daimi.dk (Per Olsvig Jensen) Organization: DAIMI: Computer Science Department, Aarhus University, Denmark Lines: 46 I'd like to start a discussion on the matter: PC-NFS and System Security. As I see it, giving a PC, where the terms user, username, userid and so forth doesn't exist at all, access to NFS on ie. a SUN with profound user access security check, is bound to create security holes. I mean, who can assure you, that on the PC, the person using PC-NFS is really the one PC-NFS thinks he is. All PC-NFS seems to check, is that the UserId and GroupId are the right ones. It is intended that these Ids are set up by User Authentication, but what in the world prevents a hacker from setting up this information himself ? In fact it took me less than half an hour to locate the UserIds etc. in the memory of PC-NFS an to set them as I liked. Once these Ids are set, nothing seems to prevent me from mounting an other users files on the SUN, writing them or deleting them as I would like to. The only comment I've found on that in my PC-NFS Users Manual is in the chapter of "NFS Server Issues" concerning "User Authen- tication" and "System Security" stating: " user ids do not enhance the server's security, but .... Sun is working on secure RPC protocols. When these become available, they will be incorporated in PC-NFS. You should also be aware that PC-NFS poses the same security problems as other network functions that are buildt on RPC. For password checking, the encryption emplyed by net name is trivial. " ... I agree, except I can't see using secure RPC will help as long the critical information for security check is stored very simply in the PC memory, and accessible to everyone. Am I wrong on this, or do you have any comments ? PS. The version of PC-NSF we're using is Version 2.00, not that it matters. Regards Per Olsvig Jensen Computer Department University of Aarhus, Denmark.