If you give anybody write access to NFS, you should assume that EVERYBODY
has write access to your NFS file system as any user that they want to be.
(excepting root in some cases). NFS security is extremely weak in this
regard and relies on the client to present itself truthfully, identify
itself correctly, and determine access.
>An organization, external to ours, has written a custom application =
>which requires transferring files through our firewall. This =
>application is critical to the success of the external organization; =
>however, we stand to benefit from it also. We have expressed our =
>requirement to perform all file transfers using the FTP protocol. Our =
>firewall by the way supports FTP via a FTP proxy.
>This external organization intends to use NFS as its file transfer =
>utility claiming that their security policy only allows NFS for file =
>transfers and does not permit FTP. Supposedly, with NFS they do not =
>have to grant login access to outside users wishing to transfer files =
>into their network. They feel that FTP requires a login and therefore =
>compromises their security. Our policy only allows FTP - our firewall =
>does not have a NFS proxy even though we could allow it go through.
>Does any of the above make sense to any reader out there? I'm not very =
>up to date on the security threats of NFS. I do know however that CERT =
>has posted NFS advisories and that both CERT and Cheswick/Bellovin =
>recommend blocking out NFS from entering a private network.
>What should be my security concerns with NFS? Should I be comfortable =
>with an external organization transmitting files into my network using =
>NFS? Why do both CERT and Cheswick/Bellovin recommend blocking out NFS?
>I appreciate you response.
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
NFS vs. FTP
From: "Data Systems Bureau" <lasdsdn @