<blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">On Tue, Aug 24, 2010 at 8:53 AM, James <span dir="ltr"><<a href="mailto:jucziz6@gmail.com">jucziz6@gmail.com</a>></span>
wrote:<br>I
have read articles that states that NFS is insecure but those<br>
articles are many years old. Is it still insecure?<br></blockquote><br>Pretty much. NFSv4, if it ever arrives in the form of a full implementation, could possibly be better. NFSv4 pretty much solves all of the caching/scaling issues inherent in NFS (theoretically a legitmate AFS replacement) along with world hunger, etc... you get the idea. <br>
<br>The issue isn't the presence or absence of encryption within the filesystem implementation, it is how NFS builds its trust models, which necessitates a lot of extra engineering to lock down an NFS environment. For example, any sane NFS environment will be configured by default not trust that a transaction against the file system initiated by root is really root. If the NFS server grants mounts to any machine on the network then root on any machine can browse your file system and start cruising for setuid binaries to target for trojans in hopes of getting a shell on a different host. But, eventually you'll need to perform operations on the filesystem or files as root, which leads to having a few machines in the environment "root trusted". <br>
<br>So you have a list of "trusted hosts" - but how is identity established for the host? It can be host names or ip addresses - both of which can be spoofed easily enough. So locking down your NFS environment implies a secure way to manage identity of both users and hosts and other network resources. (Kerberos?)<br>
<br>It's when you start thinking about large-scale NFS implementations that some of the benefits of Active Directory manifest. And I think in point of fact you can use LDAP + Kerberos to harden an NFS environment. I've seen the conversion to using ACLs in LDAP go less than smoothly. I'm not totally familiar with this dimension of NFS administration so I'd suggest doing some research. <br>
<br>NFS has some other limitations too due to its design, like the fact the "last close" problem has no solution on NFSv3. NFSv4 may be able to handle that. I think NFSv4 has been "right around the corner" for close to a decade now. It's the Duke Nuke'em Forever of file systems. ;) <br>
<br>-Rob<br><br><br>