NFS

Craig White plug-discuss@lists.PLUG.phoenix.az.us
Mon, 7 May 2001 07:43:36 -0700 

> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of
> der.hans
> Sent: Sunday, May 06, 2001 11:49 PM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: NFS
>
>
> Am 06. May, 2001 schwäzte Craig White so:
>
> > and then cd to /home/barney I see all of the folders in barney:/home but
> > most of them report 0 items when I cd into a folder and ls. I
> presume that
> > the problem has to do with the fact that I am root on my host
> machine but
> > not really root on the remote machine. How can I mount exported
> systems as
> > though I am root?
>
> Do you need root access? Without the no_root_squash option Kevin suggested
> root becomes nobody on the remote machine[1].
>
> Watch your UIDs for users if you use nfs. nfs doesn't care about
> username (
> neither do rservices such as rsh[2] ) and uses UID.
>
> username   local UID   remote UID
> anke       300         400
> fred       500         300
> georg      600         500
>
> Anke would have access to Fred's files on the remote box and Fred would be
> able to abuse Georg's files on the remote machine.
>
> Only use no_root_squash if you really need it. Does root on the local box
> really need to have file access as root for files on the remote box?
>
> ciao,
>
> der.hans
>
> [1] This is why web daemons shouldn't run as nobody. User overloading is a
> security problem, e.g. if one protocol/daemon gets cracked you don't want
> the cracker to have perms on the data from the other as well.
>
> [2] Another reason to run ssh as it behave like us humans would think :),
> e.g. keys on the username, not the UID.
>
---------
no_root_squash was the ticket.

Since this is only for use in my house, I don't think I need to worry about
user abuse beyond the enormous potential for damage that this user offers
;-) I probably wouldn't have needed NFS so badly if I could get that USB CD
to work.

As for SSH working on username instead of UID - I don't think that's really
the case, it's semantically correct but you are really only dealing with one
filesystem as opposed to an NFS mount which crosses the barrier between two
filesystems with separate permissions management. Inside the barriers of my
house (behind the firewall), I can use ftp easily enough but compared to
NFS, it's so clumsy to xfer files.

Or better yet (forward thinking here) - updating Redhat from 6 to 7 is a
clumsy experience. I have client firewalls that I have built using 6. Up
until now, I had to either bring in a hard drive and connect it as a slave
to copy off the conf files. Now, I can bring in my Sony PictureBook and use
NFS - much more painless.

I will bring the PictureBook to the meeting (if I can make it) if there is
interest. I would love to have Kurt look at it and see if there's any
suggestions on how to prevent windows from extending beyond the bottom of
the screen height (480) or better yet, help me implement XFree86-4 to have a
virtual height of 768 like I do on Windows to allow the screen image to
scroll.

Thanks Kevin, Hans, Eden

Craig