"public NFS" on freedesktop.org ? / was: Re: [Xorg] Anon Ftpon freedesktop.org?
Roland Mainz
roland.mainz at nrubsig.org
Mon May 24 23:58:18 PDT 2004
Sean Middleditch wrote:
> > > NFS itself is an RPC service, and the core RPC service itself has been
> > > severely flawed in the past. Opening *any* service that uses RPC is
> > > dangerous.
> >
> > Did you read RFC 2054 ("WebNFS Client Specification") yet ? I am talking
> > to open _ONE_ port, not all RPC ports. "portmap" ports would NOT be open
> > in this case.
>
> Ah, no, I wasn't aware of WebNFS. My apologies. Looking online,
> though, I don't see any software that claims to implement RFC 2054, at
> least not in mainstream usage.
AFAIK each normal NFS client can use WebNFS.
In the case of Solaris (and some Linux distributions) you can simply use
the automounter to mount a WebNFS share:
% cd /net/ftp.x.org/pub/more_stuff_comes_here
would go to the dir "/pub/more_stuff_comes_here/" on host ftp.x.org. The
people do not need to know how to use "mount" or any root priviledges...
they only do a simple CWD and can access the files.
> What benefit would there be to using
> WebNFS in that case instead of something very widely implemented like
> WebDAV which can also be mounted on UNIX machines like other network
> file systems? And which can be accessed with no administrative effort
> using any modern file manager on Windows, OS X, GNOME/KDE, etc.?
See above. WebDAV isn't accessible via the automounter,
NFS-via-automounter is accessible on nearly all Unix distributions and
at least on some of the Linux distributions.
> > > > there for ftp deamons than the NFS deamon (this issue isn't really that
> > >
> > > That is an fairly worthless statement. ;-) There have been a lot of
> > > security flaws in a certain FTP daemons, yes. That has absolutely no
> > > effect on whether the NFS daemon is secure or not. Comparing apples and
> > > buicks.
> >
> > I am not comparing apples and buicks, I am trying to explain that a
> > public, readonly WebNFS server isn't a larger security thread than a ftp
> > server. We're doing that here to share CD images for the various
>
> It is if the FTP server is secure and NFS server isn't. Which was my
> point. *Some* FTP servers have had security holes, yes. That in no way
> means the one that FreeDesktop.org uses is insecure. There are plenty
> of FTP servers with perfect security records. Just like how even though
> Sendmail has been known to have frequent security flaws there are still
> MTAs that are very secure.
Erm... "sendmail" is every often hit because it is very popular. Some
Linux distributions tried to avoid the issue and switched to "postfix" -
and suddenly that MTA had lots of reports about exploits. So far the
term "perfect security records" isn't much usefull.
> Furthermore, even if the FTP server *is*
> insecure, that is absolutely no excuse to add yet another insecure
> server. One might as well say that just because FTP is running there's
> no point in using SSH instead of telnet or even using passwords; the
> machine's got a potential security hole anyway, right? ;-)
:)
> > distribuions and a couple of Linux distributions do the same.
> >
> > > > security sensitive since there are a couple of public NFS servers for
> > > > Debian packages...) ... :)
> > >
> > > And there are plenty of Windows users connecting their home machines
> > > right into a cable modem with no firewall and sharing their hard-drives
> > > with everyone on their local block over CIFS. Doesn't mean it's good
> > > practice.
> >
> > Please define "good practice". The idea is much better than letting
> > people download large packages or CD images via ftp - they could
> > directly work on the shared files itself.
>
> And what benefit does that provide?
See above. People can use WebNFS shares without being root or any other
modifications in their default setup. They simply to a CWD and use the
files on ftp.x.org.
> Either way, the whole thing needs
> to be taken from the server to their local machine. FTP file systems
> exist for UNIX so users can mount them and tools like cdrecord can
> stream the file over the network (assuming you have burnfree or
> something in use) and so on.
Do you know how these ftp filesystems work in the background ? In the
worst (usually the common... ;-( ) case they transfer the complete file
to the client first, regardless whether you only need the first <n>
bytes - try % find /path_to_ftp_filesystem | while read i ; do file "$i"
; done # and you'll see how silly the idea of a ftp filesystem is
(unless the ftp server supports extensions for random seek+block
reads... but that isn't covered by ftp daemons which implement only the
features defined by the RFC for ftp).
> WebDAV is also available in the same way.
Please name me ONE Unix OS (except Linux) which can mount WebDAV shares.
AFAIK neither Solaris nor AIX nor HP-UX can do that.
And who claims that WebDAV is more secure than WebNFS in the scenario
described above ?
> NFS doesn't offer anything useful over these in a read-only scenario.
See my first usage example above...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
More information about the xorg
mailing list