undefined | Better HN

0 pointsmmh00004d ago0 comments

Sure, if you (the admin) have full control over the NFS server, the network, and the client devices, NFS can be secure with the help of Kerberos. But this isn't a simple thing. A Kerberos server needs to be set up, Kerberos clients need to be configured on the NFS server and client, tickets need to be issued, firewall ports need to be opened, and user accounts need to be centrally managed. That's all fine for an Enterprise.

Now, how about this common scenario: I want to run a file-sharing server on my network. I want a random "friend" to come over and grab a copy of a file, but I don't want them to see any other files on the NFS server.

So, the "friend" has root access on their device. They can just log in and lie to the NFS server, claim they're my UID, and see all my files that I didn't want them to access. Configuring KRB in that scenario is totally impractical.

0 comments

skydhash4d ago

> Now, how about this common scenario: I want to run a file-sharing server on my network. I want a random "friend" to come over and grab a copy of a file, but I don't want them to see any other files on the NFS server.

How is that a common scenario? Why not give them your drive and the encryption key while you’re at it? It would be way faster.

The correct scenario would be to just copy the file and serve it with ftp or http on another interface.

mmh0000OP4d ago

Ah, so you agree NFS is not fit for purpose (network file sharing), and I should use something else to share files over the network.

EDIT (the above is a bit more snark than I intended, let me add a little more):

NFS's direct (still widely used) competitor, SMB, natively supports:

  - Authentication
  - Transfer encryption
  - Authentication encryption
  - Has open implementations across platforms
  - Supports individual account management, and large enterprisey account management (LDAP/AD/etc)

With SMB, I can share out a directory on the network that allows visitors access, optionally authenticated with a simple username and password.

I can share out specific directories with easy control over who can access what. You know, basic network file sharing capabilities.

[[ And, don't take this as a love for SMB, it too has many issues and legacy junk ]]

skydhash4d ago

> Ah, so you agree NFS is not fit for purpose (network file sharing), and I should use something else to share files over the network

NFS stands for Network File System, not Network File Sharing. If you gave a disk to someone, the permission bits wouldn’t stand for anything too.

j / k navigate · click thread line to collapse

0 comments

skydhash4d ago

How is that a common scenario? Why not give them your drive and the encryption key while you’re at it? It would be way faster.

The correct scenario would be to just copy the file and serve it with ftp or http on another interface.

mmh0000OP4d ago

Ah, so you agree NFS is not fit for purpose (network file sharing), and I should use something else to share files over the network.

EDIT (the above is a bit more snark than I intended, let me add a little more):

NFS's direct (still widely used) competitor, SMB, natively supports:

  - Authentication
  - Transfer encryption
  - Authentication encryption
  - Has open implementations across platforms
  - Supports individual account management, and large enterprisey account management (LDAP/AD/etc)

With SMB, I can share out a directory on the network that allows visitors access, optionally authenticated with a simple username and password.

I can share out specific directories with easy control over who can access what. You know, basic network file sharing capabilities.

[[ And, don't take this as a love for SMB, it too has many issues and legacy junk ]]

skydhash4d ago

> Ah, so you agree NFS is not fit for purpose (network file sharing), and I should use something else to share files over the network

NFS stands for Network File System, not Network File Sharing. If you gave a disk to someone, the permission bits wouldn’t stand for anything too.

j / k navigate · click thread line to collapse