Re: FC5, Firefox, NFS /home

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Garry T. Williams wrote:
> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote:
>> Dan wrote:

>>> I have an FC5 server which has exported /home via NFS. Client
>>> machines automount /home.

>> Using /home as a network share is inherently insecure,

> What does that mean?

Threats To Server Security
https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html

######
"Inherently Insecure Services

Even the most vigilant organization that does their job well and keeps
up with their daily responsibilities can fall victim to
vulnerabilities if the services they choose for their network are
inherently insecure. There are certain services that were developed
under the assumption that they will be used over trusted networks;
however, this assumption falls short as soon as the service becomes
available over the Internet.
<...>
Another example of insecure services are network file systems and
information services such as NFS or NIS which are developed explicitly
for LAN usage but are, unfortunately, extended to include WANs (for
remote users). NFS does not, by default, have any authentication or
security mechanisms configured that will prevent a cracker from simply
mounting the NFS share and accessing anything contained therein. NIS,
as well, has vital information that must be known by every computer on
a network, including passwords and file permissions, within a plain
text ACSII or DBM (ASCII-derived) database. A cracker can take this
database and find the passwords of each and every user on a network,
including the administrator."
######

Or IOW:
Private data ($HOME) should be isolated from potentially publicly
accessible network shares, even if there are other security mechanisms
in place to safeguard it (firewall), since those mechanisms could
potentially be compromised by vulnerabilities. If that data is
isolated from inherently insecure services, the risks are reduced
considerably.

--
K.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux