You can always change SecType to only allow krb5 authentication. Then
no one can connect without a kerberos ticket.
Daniel
On 9/6/22 11:56, Matthew Richardson wrote:
> Yes, what is the requirement here?
The issue is really a security one. Initial connections are only 'protected' by
Client config limited to host/ip ranges. If someone can 'reach' the NFS server
then they can connect as root (nobody) and potentially access anything which is
world-readable. This is obviously a 'classic' issue with ip-based auth on NFS, and
I was hoping that the existence of kerberos authentication helped here. Perhaps not.
> Yes, definitely. Note that directory permissions are not sufficient to protect files
since
> a client could "guess" a file handle and access any inode on an exported
file
> system (even an inode in a portion of the file system that is outside an exported
sub-tree
> of the file system).
Indeed - the top-level directory has to be world-executable, which then opens up attacks
through guessing paths/filenames.
I suppose we could set some top-level ACLs to explicitly restrict the 'nobody'
user to have no access, but I was hoping that there might be a nicer way for the server to
just reject all FS requests for certain users.
_______________________________________________
Support mailing list -- support(a)lists.nfs-ganesha.org
To unsubscribe send an email to support-leave(a)lists.nfs-ganesha.org