OpenSSH Trojan

Steve Bougerolle steveb at creek-and-cowley.com
Fri Aug 2 08:45:17 PDT 2002


On Fri, 2002-08-02 at 17:36, Matthias Benkmann wrote:

> First of all, no one said that you need to use all_squash for users' home
> directories. You should use all_squash for exported system directories. 

Persuasive... I hadn't thought it through; of course system directories
don't generally get exported in the first place.  I'm going to try this
next rebuild.  Personally, I don't know if I'd bother with different
users for EACH package, as I'm more interested in the security aspects
than the package management stuff.  I think I'll just categorize them.

> Secondly if you use NFS-mounted home directories you are exposing all of
> your user accounts to an attacker. ...The real
> problem is simply that NFS is insecure by design and should not be used in
> an environment where physical access to the network is unprotected.

True enough, and we all know it, but griping doesn't do any good without
a practical alternative.  Coda seems to be dead in the water, Intermezzo
still doesn't make it, and AFS/arla looks promising but also looks to
need a lot more support in Linux.  So for practical centralized file
sharing between Linux machines, NFS is IT for the foreseeable future,
except maybe for user-space non-transparent stuff involving SSH, and a
system built to network has to take that into account.

-- 
Steve Bougerolle
Creek & Cowley Consulting

http://www.creek-and-cowley.com

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list