"public NFS" on freedesktop.org ? / was: Re: [Xorg] Anon Ftp on freedesktop.org?

Roland Mainz roland.mainz at nrubsig.org
Mon May 24 10:28:11 PDT 2004


Sean Middleditch wrote:
> > > > ... when we are thinking about this... what about having a "public NFS"
> > > > server, too (which means: People can mount a certain directory (like the
> > > > root dir of the ftp space) _READ_ _ONLY_ ?
> > >
> > > There have been too many remote root exploits of RPC and NFS for me to be
> > > comfortable with this.
> >
> > Erm... you only have to open the NFS port in the kernel firewall so
> > other RPC services are not affected. And there are far more exploits out
> 
> NFS itself is an RPC service, and the core RPC service itself has been
> severely flawed in the past.  Opening *any* service that uses RPC is
> dangerous.

Did you read RFC 2054 ("WebNFS Client Specification") yet ? I am talking
to open _ONE_ port, not all RPC ports. "portmap" ports would NOT be open
in this case.

> > there for ftp deamons than the NFS deamon (this issue isn't really that
> 
> That is an fairly worthless statement.  ;-)  There have been a lot of
> security flaws in a certain FTP daemons, yes.  That has absolutely no
> effect on whether the NFS daemon is secure or not.  Comparing apples and
> buicks.

I am not comparing apples and buicks, I am trying to explain that a
public, readonly WebNFS server isn't a larger security thread than a ftp
server. We're doing that here to share CD images for the various
distribuions and a couple of Linux distributions do the same.

> > security sensitive since there are a couple of public NFS servers for
> > Debian packages...) ... :)
> 
> And there are plenty of Windows users connecting their home machines
> right into a cable modem with no firewall and sharing their hard-drives
> with everyone on their local block over CIFS.  Doesn't mean it's good
> practice.

Please define "good practice". The idea is much better than letting
people download large packages or CD images via ftp - they could
directly work on the shared files itself.

-----

Bye,
Roland

-- 
  __ .  . __
 (o.\ \/ /.o) roland.mainz at nrubsig.org
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 7950090
 (;O/ \/ \O;)




More information about the xorg mailing list