NFS Security: a summary

[R.H. coast near the top]

In article <3e5d8f8f.13422 at apollo.COM>, mishkin at apollo.COM (Nathaniel Mishkin) writes:
> Not even to mention an IBM PC that supports UDP/IP.  Bring up SUN RPC
> and start making those NFS requests with the uid of your choice.  Even
> simpler, you could just start with PC/NFS.
C'mon, Nat, I'll buy you a Samuel Smith's ale if you can correctly patch all
of the PC-NFS internal data structures to do this. The only reasonable
way of breaking it would be to run a rogue PCNFSD somewhere, which (once
again) assumes super-user access on some system.

When people point out the lack of security in the current generation of
distributed architectures, I usually reply that the mechanisms are there
to stop people from making fools of themselves (e.g. inadvertantly
deleting a colleague's file, or maybe an OS file) or from stumbling across
material they shouldn't see. In most of the companies we work for, the
real security is on the periphery of the building, network, whatever:
inside the shell we usually make the convenience/security trade-off
in favor of convenience. Fortunately personal idiosyncrasy and
love of complexity provide a second line of defense through intimidation...

>   Ah, what a fool's paradise we're all living in. 

Just focus on the "paradise" bit :-)

>                     -- Nat Mishkin
-- 
Geoff Arnold, Sun Microsystems Inc.+------------------------------------------+ 
PC Distrib. Sys. (home of PC-NFS)  |If you do nothing, you will automatically |
UUCP:{hplabs,decwrl...}!sun!garnold|receive our Disclaimer of the Month choice|
ARPA:geoff at sun.com                 +------------------------------------------+