2010年7月25日 星期日

nfsd privileged port

http://mars.netanya.ac.il/~unesco/cdrom/LDP/NFS/HTML_FORMAT/NFS-HOWTO-6.html

Another important thing is to ensure that nfsd checks that all it's requests comes from a privileged port. If it accepts requests from any old port on the client a user with no special privileges can run a program that's is easy to obtain over the Internet. It talks nfs protocol and will claim that the user is anyone the user wants to be. Spooky. The Linux nfsd does this check by default, on other OSes you have to enable this check yourself. This should be described in the nfsd man page for the OS.

Another thing. Never export a file system to 'localhost' or 127.0.0.1. Trust me.

新版的說
http://nfs.sourceforge.net/nfs-howto/ar01s06.html
The TCP ports 1-1024 are reserved for root's use (and therefore sometimes referred to as "secure ports") A non-root user cannot bind these ports. Adding the secure option to an /etc/exports means that it will only listed to requests coming from ports 1-1024 on the client, so that a malicious non-root user on the client cannot come along and open up a spoofed NFS dialogue on a non-reserved port. This option is set by default.

舊的版本說,只要相信從1024以下來的client,而且不要給localhost連線。這有點道理,如果相信從localhost來的1024以上的連線,可能是假造的。
但是應該只要做其中一項就好了吧,外部的連線不管是不是1024以下的都有可能會是假的。

不知道為什麼linux的實作還是這樣。

在mac上面mount_nfs要加上
-o resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure
. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)

意思就是說這樣根本沒什麼用就對了。

如果沒有加這個的話,會出現 /Volumes/nfs: Permission Denied

或是在nfs server /etc/exports 加上 insecure

沒有留言:

張貼留言