[BBLISA] Secure, authenticated file serving to untrusted clients

[Michael Sprague]

Dean Anderson wrote:
> There are options to NFS to not trust root, which prevents accidental
> root problems, but provides no protection against malicious root
> problems. NFSv4 and AFS are a little better--you have to steal kerberos
> credentials, but this isn't real hard if you have root on the
> workstation and the target of hostile activity also logs in and exposes
> their KRB ticket and password to theft.  NFSv4 and AFS are pretty good
> against untrusted root users where the target of malice probably won't
> log into the untrusted computer.  Beyond that, all network computing
> suffers the same weakness. If you can't trust root, you are sunk: you
> can't obtain secure computing from an unsecure, untrusted computer.
> 
> This also has implications for software.  If you can't trust the
> distribution of critical software (e.g. the OS), then you are sunk.  
> I've been watching the activity of a project that is untrustworthy and
> how that project is interacting with OS distro's.  We used to worry
> about hackers breaking into source code repositories. What happens when
> hackers operate the source code repository?

I could be way off base here, but couldn't you use something like 
grsecurity or selinux to prevent even root from doing anything bad to 
the network attached storage?  That's basically what we do where I work 
and we use grsecurity.

thanks,
mikeS

-- 
Michael F. Sprague
mfs at komerex.com