steveb at creek-and-cowley.com
Fri Aug 2 08:45:17 PDT 2002
On Fri, 2002-08-02 at 17:36, Matthias Benkmann wrote:
> First of all, no one said that you need to use all_squash for users' home
> directories. You should use all_squash for exported system directories.
Persuasive... I hadn't thought it through; of course system directories
don't generally get exported in the first place. I'm going to try this
next rebuild. Personally, I don't know if I'd bother with different
users for EACH package, as I'm more interested in the security aspects
than the package management stuff. I think I'll just categorize them.
> Secondly if you use NFS-mounted home directories you are exposing all of
> your user accounts to an attacker. ...The real
> problem is simply that NFS is insecure by design and should not be used in
> an environment where physical access to the network is unprotected.
True enough, and we all know it, but griping doesn't do any good without
a practical alternative. Coda seems to be dead in the water, Intermezzo
still doesn't make it, and AFS/arla looks promising but also looks to
need a lot more support in Linux. So for practical centralized file
sharing between Linux machines, NFS is IT for the foreseeable future,
except maybe for user-space non-transparent stuff involving SSH, and a
system built to network has to take that into account.
Creek & Cowley Consulting
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security