[BBLISA] Secure, authenticated file serving to untrusted clients

Dean Anderson dean at av8.com
Fri Apr 17 19:27:54 EDT 2009 

There are options to NFS to not trust root, which prevents accidental
root problems, but provides no protection against malicious root
problems. NFSv4 and AFS are a little better--you have to steal kerberos
credentials, but this isn't real hard if you have root on the
workstation and the target of hostile activity also logs in and exposes
their KRB ticket and password to theft.  NFSv4 and AFS are pretty good
against untrusted root users where the target of malice probably won't
log into the untrusted computer.  Beyond that, all network computing
suffers the same weakness. If you can't trust root, you are sunk: you
can't obtain secure computing from an unsecure, untrusted computer.

This also has implications for software.  If you can't trust the
distribution of critical software (e.g. the OS), then you are sunk.  
I've been watching the activity of a project that is untrustworthy and
how that project is interacting with OS distro's.  We used to worry
about hackers breaking into source code repositories. What happens when
hackers operate the source code repository?

		--Dean

On Wed, 15 Apr 2009, Ben Eisenbraun wrote:

> 
> Howdy,
> 
> I'm looking for a file serving method that lets me securely share files out
> to clients with untrusted root users.*  I.e. if user home directories are on
> a read-write network volume, I want to stop root on a workstation from doing:
> 
> rm -rf ~user
> 
> or
> 
> su - user
> rm -rf ~
> 
> * Yes, I know that if someone has root on the workstation, then all bets 
> are off, since they can trojan kinit to collect passphrases, steal tickets, 
> etc.  I'm just trying to raise the bar significantly higher than the
> standard NFS level of (in)security.
> 
> >From what I understand of NFSv4, if I set it up to use kerberos, then I can
> do this, since only a user with a valid kerberos ticket will be able to
> access the files on the share.  It seems like a kerberized solution could 
> work here, but I'm not sure what protocol to use.
> 
> I'm looking for a solution that would work on Linux and OS X.  The NFSv4
> support is fairly limited under OS X right now.  Can Samba/CIFS do this?
> AFS?  Other?
> 
> -ben 
> 
> --
> in order to create anything, one must first start with something that is 
> not the thing being created.                            <phillip j. eby>
> 
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the bblisa mailing list