Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uunet!inpnms!logan From: logan@inpnms.UUCP (Jim Logan) Newsgroups: comp.unix.i386 Subject: Re: RFS is by far better that NFS! Message-ID: <221@inpnms.UUCP> Date: 15 Dec 89 16:20:49 GMT References: <218@inpnms.UUCP> Reply-To: logan@inpnms.UUCP (Jim Logan) Distribution: na Organization: Data General Telecommunications, Rockville, MD Lines: 46 In article bitbug@lonewolf.sun.com (James Buster) writes: # In article <218@inpnms.UUCP> logan@inpnms.UUCP (Jim Logan) writes: # > We all have 386's on our desks running RFS and have enjoyed # > having root access to our machines, but not on the server. From # > what we have read, this is not possible under NFS. Is this true? # > # > We are in the process of changing over to NFS from RFS under # > 386/ix in order to use the large disks on our MV 40000 running # > DG/UX. # > # > Is seems that the only way to prevent root access on the server # > under NFS is by appointing one person as the administrator. It # > doesn't make much sense to have one person responsible for an # > entire network of 386's. He would have to be responsible for # > changing the mode of files, killing processes, etc. No one # > around here wants grunt work like this. # > # > Is this really a security issue, or are we misinformed? Is # > there a solution? # # I'm not sure what question you are asking? Do you mean, # does a root user on the client have normal root file access # permissions on file systems mounted from the server, or is # a root user on the client able to log into the server as root? No, I was a bit too vague in my original posting. Let me rephrase in more detail. Given a server with user IDs 101, 102, and 103, and a client having only UID 101, anyone with root access on the client can access files owned by UIDs 102 and 103. This is a big security hole if it is true. As I understand it, there is no way to have a user on the server that is unmappable on a client. For instance, we have the user "scm" (source-code management) on the host that owns the files that we release. These files cannot (and should not) be modified in any way by a user on a client, since "scm" maps to a bogus UID on a client under RFS. We simply want the same, or equivalent, functionality from NFS. Can it be done? -- James Logan UUCP: uunet!inpnms!logan Data General Telecommunications Inet: logan%inpnms@uunet.uu.net (301) 590-3069