Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!swrinde!ucsd!helios.ee.lbl.gov!epb2.lbl.gov!envbvs From: envbvs@epb2.lbl.gov (Brian V. Smith) Newsgroups: comp.unix.i386 Subject: Re: RFS is by far better that NFS! Message-ID: <4469@helios.ee.lbl.gov> Date: 15 Dec 89 17:46:08 GMT References: <218@inpnms.UUCP> Sender: usenet@helios.ee.lbl.gov Reply-To: envbvs@epb2.lbl.gov (Brian V. Smith) Distribution: na Organization: Lbl Lines: 35 X-Local-Date: 15 Dec 89 09:46:08 PST In article <218@inpnms.UUCP>, logan@inpnms.UUCP (Jim Logan) writes: < We all have 386's on our desks running RFS and have enjoyed < having root access to our machines, but not on the server. From < what we have read, this is not possible under NFS. Is this true? < < We are in the process of changing over to NFS from RFS under < 386/ix in order to use the large disks on our MV 40000 running < DG/UX. < < Is seems that the only way to prevent root access on the server < under NFS is by appointing one person as the administrator. It < doesn't make much sense to have one person responsible for an < entire network of 386's. He would have to be responsible for < changing the mode of files, killing processes, etc. No one < around here wants grunt work like this. < < Is this really a security issue, or are we misinformed? Is < there a solution? Under Ultrix NFS, you can allow the superuser (root) from a client machine access to a particular user-id (0, for example) on the server. I quote (without permission) from exports(8nfs): -r=uid Map client superuser access to uid on the file sys- tem. If you want to allow client superuser access to the file system with the same permissions as a local superuser, use -r=0. Use the -r=0 option only if you trust the superuser on the client system. The default is -r=-2 which maps superuser to nobody. This limits the access to world readable files. _____________________________________ Brian V. Smith (bvsmith@lbl.gov) Lawrence Berkeley Laboratory I don't speak for LBL, these non-opinions are all mine.