NFSv3 (was: Re: [BBLISA] Secure, authenticated file serving to untrusted clients)
Benjamin Cline
brc at peppermint.org
Sat Apr 18 23:28:20 EDT 2009
Dean Anderson wrote:
>> If you can establish a tcp connection to an NFS(v3) (and are in the
>> acl list), there is NOTHING an NFS server can do to prevent you from
>> accessing every file on the share. If you control every node on the
>> network, you can attempt to secure the clients so users cant get root,
>> but what about the scenario of a userspace NFS client pretending to be
>> root?
>
> NFSv3 uses UDP, and was designed to be a stateless protocol. But the
> server can also be configured to ignore root, or be read-only. NFSv3 is
> definitely 'cooperative' only.
>
Actually, you're both right. NFS version 3 can use either TCP or UDP for
transport[1].
Benji
[1] RFC1813 - NFS Version 3 Protocol Specification Section 2.3
(Transport address)
More information about the bblisa
mailing list