Xref: utzoo comp.protocols.nfs:212 comp.sys.ibm.pc:29400 Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!sun-barr!decwrl!decvax!eagle_snax!hinode!geoff From: geoff@hinode.east.sun.com (Geoff Arnold) Newsgroups: comp.protocols.nfs,comp.sys.ibm.pc Subject: Re: PCNFS and security Message-ID: <578@eagle_snax.UUCP> Date: 26 May 89 12:19:04 GMT References: <2373@daimi.dk> <11668@bloom-beacon.MIT.EDU> Sender: news@eagle_snax.UUCP Reply-To: geoff@hinode.UUCP (Geoff Arnold) Organization: Sun Microsystems, Billerica MA Lines: 51 In article <11668@bloom-beacon.MIT.EDU> boomer@space.mit.edu (Don Alvarez) writes: >In article <2373@daimi.dk> poj@daimi.dk (Per Olsvig Jensen) writes: >> >>...it took me less than half an hour to locate the UserIds >>etc. in the memory of PC-NFS and set them as I liked. Once these >>Ids are set, nothing seems to prevent me from mounting another >>user's files on the SUN, writing to them or deleting them. >> >>...I can't see how using secure RPC will help as long >>the critical information for security check is stored very simply >>in the PC memory, and accessible to everyone. >> >>Am I wrong on this, or do you have any comments ? > >Before you conclude that PC's are the problem, ask yourself "why is it >any harder to get a UNIX computer to commit the same security breaches >that you just committed with your PC?" > >Hint: you just have to read a few more manuals and know how to get >root privileges on the machine. > Don is correct. Unless you can physically secure the system and disable "-s" type reboots, any Unix system is potentially as insecure as a PC. In fact, it's more so, since you don't have to grovel around with a disassembler and find the right bits: the documentation tells you how to do it. With current Sun and Sun-derived NFS implementations, you probably want to control which hosts can mount sensitive file systems using the netgroup mechanism. This means that anyone trying to break in has to use or impersonate a trusted host - still not a significant barrier, but better than nothing. However Per is incorrect when he says that secure RPC won't help. This is because with secure RPC you would have to synthesize not just a UID/GID but a public-key-encrypted short-lifed "ticket" (to borrow the Kerberos term). My understanding of the state of this particular art is that the only way to really spoof such schemes is with a combination of host impersonation (probably involving gateway subterfuge) and messing around with the network time source(s). One PC ain't gonna cut it. [After all's said and done, fixing NFS without doing something about the other network services is pretty useless. Anyone with a Sniffer(tm) or similar network monitor can snarf up all the passwords (s)he wants, assuming that telnet or ftp is being used....] Geoff Arnold, Internet: garnold@sun.com Manager, PC-NFS Engineering UUCP: ....!sun!garnold PCDS Group, Sun Microsystems Inc. "A disclaimer? Sure, at that price you can have half a dozen of 'em."