Subject: Re: NFS and reserved ports
To: Jim Reid <firstname.lastname@example.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
Date: 03/24/1997 06:26:30
Jim Reid <email@example.com> writes:
> [The default should of course be to have whatever
>security features - such as they are - enabled. That way someone has
>to do something to turn off security checking rather than the other
The counter-argument is, of course, that since in many environments
these options provide no added security, the defaults should be to
disable the checks, so that someone who thinks they're obtaining
``security'' has at least read a manpage and knows how much security
they're really getting.
>While I'm here, maybe someone should be - already is? -
>looking at some way of reducing the exposure and/or guessability of
You mean, better than the fsirand in the tree? Not that I know of.
Kerberos authentication on mountd requests for file handles sort-of
work, if you assume a single user per workstation. The other common
alternative is `secure RPC', encrypting the RPCs for each NFS
operation, which gets very expensive very quickly.