Subject: Re: NFS and reserved ports
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Perry E. Metzger <perry@piermont.com>
List: tech-security
Date: 03/24/1997 19:36:15
Jonathan Stone writes:
> >I do not disagree that NFS security is low, however, without random
> >generation numbers, it doesn't exist at all -- anyone on the internet
> >can grab your files.
[...]
> But the behaviour of checking mount requests and not the actual RPCS
> is broken. Why don't we *fix* it? We could change the NFS server to
> check the ACLs for each NFS RPC, rather than just checking the mount
> requests?
1) way too slow.
2) what if someone, wanting to get access to your machine, simply
forges a write request? Its not like IP source addresses are real
authentication, anyway. Random generation numbers help a bit, but...
> (Or if it's ``too slow'', adding an option to do the
> checks, defaulting to "do the /exports ACL checks".)
If you only turn it off all the time, what was the point?
Perry