Re: knfsd and system crashes

Andi Kleen (ak@muc.de)
15 Nov 1997 18:07:54 +0100


Martin von Loewis <martin@mira.isdn.cs.tu-berlin.de> writes:

> > Or am I just silly in thinking that a server exporting NFS partitions
> > has any semblance of security?
>
> In essence, yes. The server checks whether it can trust the client at
> mount time. From then on, the client's operatings system is trusted
> when it passes information.

That's wrong. Remember that NFS is stateless. NFS filehandles have to be valid
over system crashes, that means that the server has to check every request
by the client completely (in practice it's speed up by a cache of course).

NFS depends of the authentification of the underlying RPC
mechanism. Current Linux NFS uses 'unix authentification' (just checks
the source address and optional the portnumber for <1024 and then
trusts the supplied user id - very insecure). The new Linux NFS has
hooks for stronger authentification (DES SecureRPC - still not 100%
secure but better than Unix auth or Kerberos), the code for this even
existed in Olaf Kirch's linux-nfs distribution but had to be taken out
when the code was integrated in the kernel because of the stupid US
laws. The SecureDES code is still available from
ftp://ftp.mathematik.th-darmstadt/pub/linux/okir/ I think, in case
someone is interested of doing a nice patch distribution of SecureRPC.

-Andi