"public NFS" on freedesktop.org ? / was: Re: [Xorg] Anon Ftp on freedesktop.org?
Roland Mainz
roland.mainz at nrubsig.org
Mon May 24 10:28:11 PDT 2004
Sean Middleditch wrote:
> > > > ... when we are thinking about this... what about having a "public NFS"
> > > > server, too (which means: People can mount a certain directory (like the
> > > > root dir of the ftp space) _READ_ _ONLY_ ?
> > >
> > > There have been too many remote root exploits of RPC and NFS for me to be
> > > comfortable with this.
> >
> > Erm... you only have to open the NFS port in the kernel firewall so
> > other RPC services are not affected. And there are far more exploits out
>
> NFS itself is an RPC service, and the core RPC service itself has been
> severely flawed in the past. Opening *any* service that uses RPC is
> dangerous.
Did you read RFC 2054 ("WebNFS Client Specification") yet ? I am talking
to open _ONE_ port, not all RPC ports. "portmap" ports would NOT be open
in this case.
> > there for ftp deamons than the NFS deamon (this issue isn't really that
>
> That is an fairly worthless statement. ;-) There have been a lot of
> security flaws in a certain FTP daemons, yes. That has absolutely no
> effect on whether the NFS daemon is secure or not. Comparing apples and
> buicks.
I am not comparing apples and buicks, I am trying to explain that a
public, readonly WebNFS server isn't a larger security thread than a ftp
server. We're doing that here to share CD images for the various
distribuions and a couple of Linux distributions do the same.
> > security sensitive since there are a couple of public NFS servers for
> > Debian packages...) ... :)
>
> And there are plenty of Windows users connecting their home machines
> right into a cable modem with no firewall and sharing their hard-drives
> with everyone on their local block over CIFS. Doesn't mean it's good
> practice.
Please define "good practice". The idea is much better than letting
people download large packages or CD images via ftp - they could
directly work on the shared files itself.
-----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
More information about the xorg
mailing list