"public NFS" on freedesktop.org ? / was: Re: [Xorg] Anon Ftp on freedesktop.org?

Sean Middleditch elanthis at awesomeplay.com
Mon May 24 10:40:26 PDT 2004


On Mon, 2004-05-24 at 13:28, Roland Mainz wrote:
> Sean Middleditch wrote:

> > NFS itself is an RPC service, and the core RPC service itself has been
> > severely flawed in the past.  Opening *any* service that uses RPC is
> > dangerous.
> 
> Did you read RFC 2054 ("WebNFS Client Specification") yet ? I am talking
> to open _ONE_ port, not all RPC ports. "portmap" ports would NOT be open
> in this case.

Ah, no, I wasn't aware of WebNFS.  My apologies.  Looking online,
though, I don't see any software that claims to implement RFC 2054, at
least not in mainstream usage.  What benefit would there be to using
WebNFS in that case instead of something very widely implemented like
WebDAV which can also be mounted on UNIX machines like other network
file systems?  And which can be accessed with no administrative effort
using any modern file manager on Windows, OS X, GNOME/KDE, etc.?

> 
> > > there for ftp deamons than the NFS deamon (this issue isn't really that
> > 
> > That is an fairly worthless statement.  ;-)  There have been a lot of
> > security flaws in a certain FTP daemons, yes.  That has absolutely no
> > effect on whether the NFS daemon is secure or not.  Comparing apples and
> > buicks.
> 
> I am not comparing apples and buicks, I am trying to explain that a
> public, readonly WebNFS server isn't a larger security thread than a ftp
> server. We're doing that here to share CD images for the various

It is if the FTP server is secure and NFS server isn't.  Which was my
point.  *Some* FTP servers have had security holes, yes.  That in no way
means the one that FreeDesktop.org uses is insecure.  There are plenty
of FTP servers with perfect security records.  Just like how even though
Sendmail has been known to have frequent security flaws there are still
MTAs that are very secure.  Furthermore, even if the FTP server *is*
insecure, that is absolutely no excuse to add yet another insecure
server.  One might as well say that just because FTP is running there's
no point in using SSH instead of telnet or even using passwords; the
machine's got a potential security hole anyway, right?  ;-)

> distribuions and a couple of Linux distributions do the same.
> 
> > > security sensitive since there are a couple of public NFS servers for
> > > Debian packages...) ... :)
> > 
> > And there are plenty of Windows users connecting their home machines
> > right into a cable modem with no firewall and sharing their hard-drives
> > with everyone on their local block over CIFS.  Doesn't mean it's good
> > practice.
> 
> Please define "good practice". The idea is much better than letting
> people download large packages or CD images via ftp - they could
> directly work on the shared files itself.

And what benefit does that provide?  Either way, the whole thing needs
to be taken from the server to their local machine.  FTP file systems
exist for UNIX so users can mount them and tools like cdrecord can
stream the file over the network (assuming you have burnfree or
something in use) and so on.  WebDAV is also available in the same way. 
NFS doesn't offer anything useful over these in a read-only scenario.

> 
> -----
> 
> Bye,
> Roland
-- 
Sean Middleditch <elanthis at awesomeplay.com>
AwesomePlay Productions, Inc.





More information about the xorg mailing list