RFS is by far better that NFS!
Jim Logan
logan at inpnms.UUCP
Sat Dec 16 03:20:49 AEST 1989
In article <BITBUG.89Dec14220256 at lonewolf.sun.com>
bitbug at lonewolf.sun.com (James Buster) writes:
# In article <218 at inpnms.UUCP> logan at inpnms.UUCP (Jim Logan) writes:
# > We all have 386's on our desks running RFS and have enjoyed
# > having root access to our machines, but not on the server. From
# > what we have read, this is not possible under NFS. Is this true?
# >
# > We are in the process of changing over to NFS from RFS under
# > 386/ix in order to use the large disks on our MV 40000 running
# > DG/UX.
# >
# > Is seems that the only way to prevent root access on the server
# > under NFS is by appointing one person as the administrator. It
# > doesn't make much sense to have one person responsible for an
# > entire network of 386's. He would have to be responsible for
# > changing the mode of files, killing processes, etc. No one
# > around here wants grunt work like this.
# >
# > Is this really a security issue, or are we misinformed? Is
# > there a solution?
#
# I'm not sure what question you are asking? Do you mean,
# does a root user on the client have normal root file access
# permissions on file systems mounted from the server, or is
# a root user on the client able to log into the server as root?
No, I was a bit too vague in my original posting. Let me
rephrase in more detail.
Given a server with user IDs 101, 102, and 103, and a client
having only UID 101, anyone with root access on the client
can access files owned by UIDs 102 and 103.
This is a big security hole if it is true. As I understand it,
there is no way to have a user on the server that is unmappable
on a client. For instance, we have the user "scm" (source-code
management) on the host that owns the files that we release.
These files cannot (and should not) be modified in any way by a
user on a client, since "scm" maps to a bogus UID on a client
under RFS. We simply want the same, or equivalent, functionality
from NFS. Can it be done?
--
James Logan UUCP: uunet!inpnms!logan
Data General Telecommunications Inet: logan%inpnms at uunet.uu.net
(301) 590-3069
More information about the Comp.unix.i386
mailing list