On Mon, 2004-01-05 at 21:25, Brett Carrington wrote:I'm sorry, maybe I did not make myself clear. If my client has access to an NFS file server
On Mon, Jan 05, 2004 at 09:14:27PM -0500, Mark Roach wrote:
Even so, you'd have this problem with or without an IPSec VPN. The VPN'sThis might be encrypted, but hardly secure, for instance if user A has physical access to NFS clientFile permissions.
and user B has physical access to nfs client, what prevents user A from accessing user B's files through VPN?
job, in this case, is lower-layer encryption. File systems on your
host/NFS Client are out of the spectrum of what a VPN can do. A VPN is
only going to protect your data from snoopers of NFS packets.
Right, which is why I pointed to file permissions instead of the VPN as
the protecting factor here. I don't really know what Rohit was
suggesting as an alternative, but if he thinks there is any security
mechanism that can protect against all attacks regardless of whether the
attacker has root, he is mistaken.
<rant>At some point there has to exist a status of "trusted." Unless you want to lock your computer in a vault, set bios and lilo passwords, buy a van-eck cage, and carry your keyboard with you at all times, you are probably better off protecting yourself from the class of attackers who pose an actual (plausible) threat.</rant>
the NFS fileserver depends on my client to establish the UID. That makes file permissions
fairly worthless in my opinion. SMBFS requires authentication to access the network resource and
Linux enhanced smbfs supports all the great UNIX stuff like symlinks and permission bits (although I
do not know about ACLS)
AFS at least demands kerberos authentication for access to the network resources. It just seems prohibitively
difficult to implement. I was not talking about sniffing packets over the network, just the common situation
where you want one user to have access to a file from a workstation, but another user at the same workstation
to not have access to that file.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
