Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Windows to Linux Migration - File Server Security? 103

Circuit Breaker asks: "I'm in the slow process of migrating my office from Windows to Linux. The servers have been Linux machines for quite a while now: Samba serves as PDC/BDC (not using Active Directory yet), and the Samba config is mirrored with rsync; all works well. No, it's time for the workstations, and all is NOT well. User lists are synchronized with NIS, which sort-of works, and will probably work better once we implement LDAP; but it seems that mounting of server directories can only effectively be done with NFS, which is a problem with security because some people really need local root. I've tried using NFS, CIFS and SSHFS, through pam_mount, automount, and independently, but it's not close to the usability of the Windows setup. It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions. How do you set up mounting directories that is easy to use like Windows -- everything automounted, but security settings are still respected for each user, even when local roots are involved?"
This discussion has been archived. No new comments can be posted.

Windows to Linux Migration - File Server Security?

Comments Filter:
  • If it works now (Score:4, Insightful)

    by mboverload ( 657893 ) on Saturday March 25, 2006 @09:53PM (#14995917) Journal
    If it works, why are you migrating? If it aint broke, don't fix it.
    • Re:If it works now (Score:1, Informative)

      by Anonymous Coward
      Because when it breaks, as it inevitably will with some newly discovered vulnerability, it will be down for quite a while? Or, worse yet, pwned for quite a while with no knowledge of it?

      • A properly secured Windows box is more secure than you think.

        You just need the correct setup and firewall.
        • by soloport ( 312487 ) on Sunday March 26, 2006 @11:52AM (#14998045) Homepage
          A properly secured Windows box is more secure than you think.

          [ 289 patches, 112 tweaks to services, sixty-eight re-boots, a half-dozen add-on packages -- Norton, AdAware, etc. -- and fourteen hours later... ]

          See?

          :)
          • by Anonymous Coward

            [ 289 patches, 112 tweaks to services, sixty-eight re-boots, a half-dozen add-on packages -- Norton, AdAware, etc. -- and fourteen hours later... ]

            AdAware? Is that how you imagine Windows servers must be run? Why would someone need AdAware, which blocks spyware and cleans up private web browsing information, on a server? Do you flip through all your favorite sites on your production Linux servers?

            Norton? Why would someone need Norton (presumably Internet Security for the firewall and AV for virus sca

    • Re:If it works now (Score:4, Informative)

      by erroneus ( 253617 ) on Saturday March 25, 2006 @11:49PM (#14996265) Homepage
      Ever got hit with a BSA audit? That alone will convince you of exactly how tyrannical those bastards can be. Beyond that, it may be as simple as they are tired of paying for software licenses for software that leaves them virtually no protection against intrusion and is quite famous for its insecurity and unreliability. (I'm not saying anything is better, just that it's famous for its exploitability and that many working exploits are still unknown to the white-hat security crowd.)

      Pick your favorite reason. But ultimately, whatever the reason, I'm sure they have a good one and have decided the pains involved with migrating over are worth moving away from what they are using now.
      • I'd sure hope anyone subject to BSA audits would use Solaris or some other Vendor supported version of Linux (RedHat, Novell, etc.)! Keeping on topic, Microsoft software should not be accounted in as an asset but as a liability, especially in this industry.

        SOX is just to far-reaching to try to save a buck by going the Redmond route...hire real professionals.
    • Re:If it works now (Score:3, Interesting)

      by Bert64 ( 520050 )
      Because it's dangerous to use microsoft. The more of their products you start becoming dependant on, the greater the risk of being screwed over.

      It is always dangerous to become dependant on a single source for anything. No other vendor produces a windows-compatible OS or other drop in replacements for their products, your always faced with a costly migration. Unlike with x86 hardware (dell, hp, ibm, acer whatever, you can easily drop in replacements) and linux (debian, redhat, suse, easy enough to change) w
      • Well, technically ReactOS is working on creating something more or less like the parent described (a Windows-compatible drop-in replacement) – the only real problem is that it's not exactly there yet.

        Although then again, all the random crashes do look like they happen around the right place... ;-)
  • NFS with Kerberos (Score:3, Informative)

    by poopdeville ( 841677 ) on Saturday March 25, 2006 @09:57PM (#14995929)
    Some versions of NFS support kerberos authentication. Try that.
  • NFS options (Score:5, Informative)

    by dbarclay10 ( 70443 ) on Saturday March 25, 2006 @09:58PM (#14995931)

    Recent NFS kernel implementations (for instance, whatever I have installed on my Debian/Sid boxen) have a few options which might be useful.

    First, in /etc/exports, you can do per-IP-address UID/GID squashing. 'man 5 exports' considered helpful. For instance (Slashdot will mangle this),

    /home/devel/fbar 10.60.55.20(rw,all_squash,anonuid=1001,anongid=100 1) 10.60.55.30(rw,all_squash,anonuid=1002,anongid=100 2)

    That will make the NFS connection from 10.60.55.20 have all access go via UID/GID 1001, and all accesses from 10.60.55.30 go via UID/GID 1002. This is most applicable when using single-user endpoints/workstations.

    Newer kernels (late 2.6.x-series) appear to have support for Kerberos and similar; of course, if you haven't even done LDAP yet (what's your excuse? If you're replacing Windows machines in an NT4 configuration, you should at least be migrating to something LDAP-based), then Kerberos is probably out of your league. Fix that.

    • Re:NFS options (Score:3, Informative)

      by hazem ( 472289 )
      Doesn't nfs have "root_squash" on by default?

      Where I once worked, our drives were all mounted via nfs. I could be on a local linux box and become root, but that didn't give me root access to the mounted drive. In fact, as root, I couldn't even see my own user files on the remote machine. If I wanted to do root-like things on the remote end, I had to log in there to do it. I've always assumed this was a defult way that NFS worked.

      This was more than 8 years ago, so I don't think it's anything new.
      • Doesn't nfs have "root_squash" on by default?

        You are correct. Only linux calls it "root_squash" but all the major unices have had exactly the behaviour you described for a decade or more.

        This entire "ask slashdot" article is moot because of that.
        • Re:NFS options (Score:3, Informative)

          by hazem ( 472289 )
          This entire "ask slashdot" article is moot because of that.

          I'm glad to hear that. I was afraid it was just my faulty memory - remembering what wasn't.

          Maybe this guy has his nfs servers' exports file set with "no_root_squash" - which can be handy while trying to get things working - but never turned it off when it was done?

          I think for added security on the file server, all accounts but a select few had their home and shell set to /dev/null in the passwd file. That machine, a sequent running dynix, couldn't
          • I just realized one issue, though. In that old setup, on a local machine, once you were root, you could su to another user and then have access to their files on the file-server.

            Yep - as long as you give access to accounts with the privilege to su, you've got that problem. But, it is not NFS specific - as long as the file-server trusts a user on the machine to be themselves, you've got that concern.
      • Re:NFS options (Score:3, Insightful)

        by Mintrubber ( 963643 )
        As root, the user can change to any other uid with "su" on the client. This way, he has access to all other user's files. "root_squash" is only relevant if the files in the exported directory belong to the root user. As the question was about home directories, "root_squash" does not help here.
  • by Anonymous Coward
    You can probably save yourself a lot of grief and maintenance, by leaving the share wide open but implementing a good security policy.

    By educating and training the users, there should be a minimum amount of confusion. But if you want to be 100% sure that files are being maintained, make at least daily backups so that if someone edits the document inadvertently then you can restore it.

    Make sure you get a manager and director to approve the security policy and get a signature from each staff member so that t
    • The one problem with that is that the honor system doesn't always work so well – and there's still a good chance of nasty accidents happening while logged in as root (accidental "rm -rf /", anyone?), intentionally or otherwise. I'd say the software should control the security policy, and that's that...

      By the way, doubt this will really be useful for anyone but I don't really use NFS much for my own systems – too slow, and requires a network connection the entire time you're working. Usually I
      • have you considered setting up a secured CVS server, i have heard of people using them for documents and stuff, the advantage is you keep every version you ever saved
      • Hah. Scping back and forth? Doesn't work so well for several hundred machines.
      • There's a decent command line tool called SVK that front-ends to Subversion HTTP repositories. There's a great GUI front-end to SVN called TortoiseSVN that integrates nicely with Explorer. If TortoiseSVN could eventually talk SVK then that would solve all my remote document/fileserving needs.

        Local offline cached version controlled repositories, with a centralized SVN or HTTP master for the entire workgroup to use. It's a minor change in workflow, but the benefits in reliability and accountability are tre
    • Re:A good security (Score:5, Insightful)

      by picklepuss ( 749206 ) on Saturday March 25, 2006 @10:22PM (#14996015) Homepage
      By educating and training the users, there should be a minimum amount of confusion.

      IMHO, this is just asking for trouble. And having daily backups only ensures that you'll spend most of your day restoring backups when things start to get really messed up. Getting a signature doesn't do you squat, unless there is a real policy of enforcement. But once mangaement realizes they're going to have to discipline everyone because your security policy is lame, who do you think is going to get it in the end.

      • As other comments have said it does seem you are doing this for the sake of doing it. As much as people on this site might bash Windows it does one thing very well (in most cases) and that for non-power users it just works. You install it, install the drivers, download a lot of patches but then it will just run and people can open Word and be happy. Want remote admin? Install VNC
  • by kiwimate ( 458274 ) on Saturday March 25, 2006 @10:24PM (#14996020) Journal
    As in the whole migration. Seriously. You don't list a reason, so it could be anything from saving money (in which case you've already failed with the amount of time and effort you're expending and the commensurate costs, including lost productivity, not even beginning to think about ongoing support costs, because you know the OS licensing costs saved have already been way exceeded by the migration costs) to idealism.

    But everything you've described is "we're trying to find a way to emulate this Windows functionality on Linux, and it's really hard". You're taking huge amounts of time, you can't get anything to work properly, and in the process I imagine you're causing your users a lot of aggravation.

    I don't even want to know how big the office is, what sort of packages you're trying to migrate, etcetera, but presumably either you're in charge of a very small office, your manager is a Linux idealist or the majority of your office colleagues are Linux idealists, or you made it sound really appealing to your manager. If the first two reasons, I'd be guessing sheer stubbornness is making you carry this on through. If the last, I'd be guessing your manager will be asking some questions sometime soon.

    So why are you doing this? Heck, just read the last few sentences...

    I've tried using ...{blah blah blah}... but it's not close to the usability of the Windows setup.

    It's either mounted per user, which requires a lot of work, or by root, in which case local root users bypass any remote permissions.

    How do you set up mounting directories that is easy to use like Windows?


    Mate...again, why, precisely, are you doing this? Now I really do want to know out of sheer curiosity...
    • by Sycraft-fu ( 314770 ) on Saturday March 25, 2006 @11:17PM (#14996169)
      For various reasons, including the lack of per copy cost, the actions of MS in the past, UNIX compatiblity, and so on many orginizations look at Linux. Unfortunately, in some cases it's not a "Well let's see if Linux would be good for us" it's "Windows sucks, we need Linux, make it happen now." There's no thought as to why, other than that it's Linux.

      Happened to me at my last job. We needed an Oracle server for a project, had to be Oracle. No problem, we have a site license for it so there's no incrimental cost. We get a server, and then it falls to me to set it up. However I'm told it has to be on Linux. I'm given various reasons, all, none valid. Things like "Well Linux is more secure" though the server will be in private IP space, directly conected to another server. So I start fighting with various LInux distros and Oracle to no end. I finally get fed up with this shit and tell the people demanding Linxu if they want it, they can install it. The UNIX guru comes to try it, fighs with it for like a week and finally calls Oracle since we have support. Their reply? "You need to get a supported OS, until then we can't help you."

      See we were trying regular SuSe and Redhat. Part of the whole Linux thing is it's free right? Oracle will have nothing to do with that at all. Supported Linuxes were RHEL, SuSe EL, and UnitedLinux. So we hit a roadbloack. I asked for permission to try Windows XP since that was a supported OS, the system had come with a license and why not. Oracle ended up installing on that fine on the first try and working properly. Then the project was canceled, but that's another story.

      Nobody who was demanding Linux there ever gave any thought to if it was the right way to so things, it was just pushing Linux or, I suspect, pushing something not MS.

      So I'd bet that's what's going on here. Perhaps the submitter is in a bad situation where management has made an uninformed decision that they must be using Linux, and now he has to try and make it happen, even though it's a problem. Could also be he's a guy who dislikes MS and has used Linux at home, and decided it would be good for work without doing proper research.
      • Unix guru and was not able to install Oracle in one week??? Gee, looks like someone has lied here.

        I'm not saying Oracle is easy to install, but you can do it for sure in a couple of hours (less if you are using a supported Linux and follow the installation instructions).

        And using Windows XP as the operating system for a database server? Are you kidding?
        • by Sycraft-fu ( 314770 ) on Sunday March 26, 2006 @12:42AM (#14996440)
          You are free to believe what you like, it has no effect on the truth of what happened. Oracle refused to install on normal Linux. I don't know what the problem was, and apparantly neither did our Solaris guy. That's why he called Oracle, to ask them to help make it install, only they wouldn't because it's an unsupported OS. Now I should clarify that the a good part of the week wasn't fighting with Oracle, but with making RAID work, however he tried and failed to install Oracle several times before giving up and calling for support.

          And it sounds like you are another one bitten with the LInux bug, or rather the "anything but MS" bug. Why not Oracle on XP? I would draw your attention to the fact that it's an offically supported OS, as in Oracle themselves have declared "This OS is suitable to use with our database, and we will support installations on it." 10g2 is offically supported on Windows 2000 (Pro and Server), XP (32 and 64-bit) and 2003 Server (32 and 64-bit). While I haven't played with 10, when we did all this with 9, it installed on XP on the first try with no problems.

          So what's your reasoning that XP can't be used? Is there something really backing it up or is it just general "You can't use Windows" mentality?

          I'm not saying I'd recommend using Oracle on XP in most cases, however this is the same, knee-jerk "Linux bug" mentality I'm talking about. A Windows solution works, there's no problems with it, however you get this atitude like it should be Linux just because.

          Change needs to have a reason, at least in the corperate world. That reason can be something as simple as "we are tired of paying for MS licenses" but you need a legit reason. "I hate MS" isnt' a legit reason. Further, the benefits of the switch must outwiegh the costs. If you can switch to Linux with no additonal support costs, then the cost argument is a good one. If switching to Linux is going to require 500 man hours to implement and an additonal 200 per year to support over Windows, it may well be that the money spent on support is more than the savings from licensing.
          • by the eric conspiracy ( 20178 ) on Sunday March 26, 2006 @01:15AM (#14996503)
            Oracle refused to install on normal Linux. I don't know what the problem was, and apparantly neither did our Solaris guy.

            I am sorry, but I am calling bullshit on this. Yes, Oracle can be difficult to install on a Linux installation that is not "supported" because it makes a lot of assumptions about the services that will be available to it. BUT any competant admin can find out what the requirements are without a lot of difficulty. And in many cases there are guides that can be used to install Oracle on non-supported systems.

            One such guide is the following:

            http://www.tldp.org/HOWTO/html_single/Oracle-9i-Fe dora-3-Install-HOWTO/ [tldp.org]

            So what's your reasoning that XP can't be used?

            As far as Oracle running on Windows XP, the main reason that I wouldn't do that is that Windows XP doesn't provide the services that a server OS would. For example, such an installation would be limited to no more than 10 concurrent users, amoung other things.

          • That is an adknowledged issue. Oracle is a bit persnickety when it comes to database versions.

            That's what CentOS is for - to emulate RHEL. The guides are great for that.

            That said, Oracle made the install for XP incredibly easy, and there's no shame in using that either.
          • The fact that Oracle on windows runs as SYSTEM, whereas on unix it runs under it's own account is a perfectly valid security reason to run it on unix.

            Another reason would be cost, oracle is expensive enough already without having to pay for windows as well.
          • In the same spirit one could ask: Why does it have to be Oracle?

            If it is giving you all this trouble on Linux, why not choose another SQL server? Or is it ok to be bitten by the Oracle bug?

          • You are free to believe what you like, it has no effect on the truth of what happened. Oracle refused to install on normal Linux. I don't know what the problem was, and apparantly neither did our Solaris guy.

            The installation script explicitely check for supported Linux distribution. Failing that, it refuse to install. The fix take about 5 minutes to implement, and is easy enough to find on Google if you do not know what you are doing (basically, copy /etc/redhat-release from a supported RedHat version t

            • by Anonymous Coward
              Or didn't read the &#^#@$ Install documentation.

              This was some wanker who had installed Linux a couple of times on his PC in Mom's basement and now he's a "Linux Expert".

          • a good part of the week wasn't fighting with Oracle, but with making RAID work

            Why is this guy given the task to set it up on linux - wouldn't it make sense to have someone familiar with the platform do it?

            So what's your reasoning that XP can't be used?

            To be brutally blunt and assuming it is a serious question - because XP is a hobby OS and MS Server2003 which is designed better for the task doesn't really cost much more.

            I agree about the change bit - if the constraint is to make it behave like MS Windows

      • by whoever57 ( 658626 ) on Sunday March 26, 2006 @01:27AM (#14996544) Journal
        See we were trying regular SuSe and Redhat. Part of the whole Linux thing is it's free right? Oracle will have nothing to do with that at all. Supported Linuxes were RHEL, SuSe EL, and UnitedLinux. So we hit a roadbloack. I asked for permission to try Windows XP since that was a supported OS, the system had come with a license and why not. Oracle ended up installing on that fine on the first try and working properly. Then the project was canceled, but that's another story.
        So, what you are saying is that you were trying to install a closed source application for weeks without asking exactly what the supported platforms were? I'm sorry, but that is just asking for failure. It's like wondering why it won't install on Windows 3.1 because "it's Windows, right?"
      • You can use CentOS, which is fully compatible with RHEL.. Or Solaris, i believe Solaris is well supported by Oracle.

        As for running Oracle on windows, it's far more secure to run it on Unix...

        Oracle on windows runs as SYSTEM, whereas on unix it runs under it's own "oracle" account. Any vulnerability found in Oracle becomes far more serious on windows than on unix.
        • Fully Compatible != fully supported by software vendors...

          Going to Oracle and saying "well, CentOS is fully compatible with RHEL" isn't going to work.

          This is the problem with Linux vs Unix arguments in the enterprise; Linux may be free to download & use on commodity hardware, but is that really what you'll do? Most people will buy mid to high-end servers with redundant power etc & use RHEL/Suse EL which winds up about the same price as commercial Unix on equivalent hardware.

    • Why does it matter why he is doing this? I has hoping to read this topic and find a simple solution to implementing NFS on a Local Area Network under Linux.

      An organization like Free Shell [freeshell.org] uses NFS for all user accounts and much of their core orginization.

      If I could use NFS, I'd fill an older computer with hard drives so I could have a massive file server. I know Google has the answer, but you have to admit, if someone on slashdot had the answer, it'd be nicer to get it here, then dig through pages and

    • by kbielefe ( 606566 ) * <karl,bielefeldt+slashdot&gmail,com> on Sunday March 26, 2006 @12:41AM (#14996436)
      You're thinking too short term. Presumably, this guy wasn't hired specifically for the Linux migration. If he wasn't spending some time on this, he would be working on the next service pack upgrade or whatever. It sounds like he is doing it right by taking it slow, and I'd be really suprised if he was rolling anything out to users that wasn't fully tested.

      You're right -- in the short term this is more trouble than it's worth. There are a lot of things he needs to learn, and the initial setup can be difficult and time consuming when you have never done it before. The payoff only comes in the long run.

      Imagine how much your company would have saved in licensing costs if they had migrated to open source software in 1995. Imagine how easy it would be to support Linux if the IT staff and employees had 10 years of solid Linux experience.

      This guy's company is going to be in a great position in 2015, and people who couldn't tolerate some short term inconvenience will be even further entrenched in a single-source solution. In fact, I think the Linux migration will more than adequately prove itself financially much sooner -- by the time his friends are in the middle of a Vista migration. (I'll resist the temptation to insert a cheap shot about 2015 here).

      As for the original question, I would suggest if he wants something that shares files like Windows, to use Samba. It's not just for interoperability; KDE and Gnome both integrate with Samba very nicely.

      • This guy's company is going to be in a great position in 2015,

        No, they'll be entrenched on Linux, while the Hot Thing will be Hurd ;).

      • If they'd have migrated to open source software in 1995, they'd probably have spent more money than the non-free licensing costs on supporting the whole thing.
        OSS is making great strides, becoming more usable with each passing year, but I strongly doubt going OSS for everything now will be cheaper than running on existing licenses for another few years, and switching then.
        10 years is an awful long time in this industry.

        GNOME is almost 9 years old, and it's only just become usable for end-users.
        • I have news for you. Companies that used Windows for the last 10 years spent a lot more than the non-free licensing costs on supporting the whole thing.

          When Windows Vista comes out, there will be all sorts of pressure to migrate to it. This guy picked the perfect time to switch so that he has time to do it right, before that pressure hits. It's the kind of foresight I expect from a company that would be able to see past the short term hassle of switching operating system suppliers in the first place.

  • one word (Score:3, Informative)

    by Yonder Way ( 603108 ) on Saturday March 25, 2006 @10:27PM (#14996026)
    NFSv4 [iaps.com]
  • by overshoot ( 39700 ) on Saturday March 25, 2006 @10:46PM (#14996088)
    is the whole "local root user" thing.

    Yes, there are advantages to having clued users able to do things on their systems [1] -- which is quite a different thing from having root access to the network stores.

    In other words, I don't see the problem unless you've created it.

    [1] Example: my system at $WORK. Note that most of the other engineers neither have, nor need, root access and I neither need nor have root access to anything but my own box.

    • Also, why would anyone need root access? Use sudo like MacOS X and Ubuntu.
      • Um... that means having root access.
        • RTFM

          If you would peruse the sudo documentation, you'd realize it is possible to customize it to allow particular users to execute particular commands as root.

          Even without sudo, it's possible to allow only very specific actions as root by using chmod suid magic.

          Of course, every time you use either of these methods, your security is lessened with respect to the next vulnerability found in sudo or whatever application you've authorized the user to run as root. But I did not get the impression that the

        • If you use "user ALL=(ALL) ALL", then yes there is not much difference than just giving them root access. However, sudo allows you to fine tune which programs they can execute. For example, you could give access only to yum and mount: "user localhost=yum,mount". You could even set it so that can only pass certain options to the programs.

          Personally, I think Ubuntu and Mac OS X get it right in disabling root by default. BTW, I'm a Fedora user.
    • What I don't understand is this:

      Samba serves as PDC/BDC (not using Active Directory yet)

      Apparently, he's planning on running Active Directory on Linux?

      That's something I'd like to see!
      • What I don't understand is this:

        Samba serves as PDC/BDC (not using Active Directory yet)

        Apparently, he's planning on running Active Directory on Linux?

        That's something I'd like to see!

        What I believe he meant is that, since he's using Samba on his Linux servers to replicate the file sharing/domain functions of Windows (NT), he doesn't have the ability to do Active Directory-like stuff yet (since the current Samba v3 implementation doesn't support it).

        If you'd like to see it, you might not ha

    • In university research labs it's common for a user to have root on his or her own machine. I have root access to my machine - it is mine after all. I can mess around with it in any way I want, and if I cock it up, it's my fault and I have to pick up the pieces. It gives me a chance to learn a bit more about how my system works, and to try things out. But I absolutely should not have root access to the rest on the network. I'm too likely to break something important. Local root is useful, network root would
    • Unfortunately many apps on Windows need admin permission to run, especially in the CAD and 3D Animation world (Modellers, Renderers, Compositors etc). They're slowly being updated and pulled into line but it'll be many years away.
      • Unfortunately many apps on Windows need admin permission to run, especially in the CAD and 3D Animation world (Modellers, Renderers, Compositors etc). They're slowly being updated and pulled into line but it'll be many years away.

        Which doesn't explain the need to have users running Linux as root.

  • Fish? (Score:2, Informative)

    by dcapel ( 913969 )
    As I am certainly not a sysadmin, take with a grain of salt, but if you gave everyone konqueror (KDE browser), you could use fish to do it.

    Fish is a file-system-over-ssh setup, that only requires ssh access, with perl being optional. It respects all the permissions a ssh account would.

    Konqueror also has Kioslave for a crapload of other protocols, including nfs, so it would be worth looking into even if you don't like fish.

    http://www.garni.ch/fish/ [garni.ch]
    kde.org
  • AFS (Score:3, Interesting)

    by Borealid ( 838626 ) on Sunday March 26, 2006 @12:05AM (#14996327)
    Why not give OpenAFS from http://www.openafs.org/ [openafs.org] a try? It has its own permissions model, and (if you choose to have it so) is completely Kerberos-5 secured. Local root means literally nothing to AFS. It may be a bit beyond your needs, but in terms of scalability and security it beats NFS any day...
  • smbmount (Score:4, Informative)

    by paugq ( 443696 ) <pgquiles@NosPAm.elpauer.org> on Sunday March 26, 2006 @12:11AM (#14996349) Homepage
    Ever heard of smbmount?

    Yes, it's part of the Samba package.

    Yes, it does exactly what it suggests: mounts a Samba share (the same thing you were doing when you were using Windows)

    So, point one: you do not need to use NFS

    Now let's go for point two. And I will not extend here. Just a tip: man fstab, then go to the fourth field (options) and look for help on the "user" option.

    All your problems fixed.
    • Unfortunately samba doesn't gracefully handle disconnects. and doesn't work well with the unix approach of having filesystems explicitely mounted and unmounted.

      Aside from that, the user= option isn't terribly secure if the user has local root on the system.

      NFS with kerberos is a much better idea.
      • You can explicitly mount/unmount Samba shared. *Nothing* is secure if the user has local root on the system!
      • I've used smbmount a few times for various reasons over the years and found it a tad flakey dealing with the server going away. NFS servers rebooting on the other hand are a different story, the clients deal well and the protocol is (normally*) truely stateless. However my most recent uses have found it to have been greatly improved, it dealt well with constant windows reboots, and my /jdrive mount, stayed working every morning I came in and tried it until my password expired (easily fixed). So with good
  • Seriously (Score:3, Insightful)

    by fimbulvetr ( 598306 ) on Sunday March 26, 2006 @12:40AM (#14996434)

    What's wrong with using NIS/+/ldap with automounting nfs homedirs? Root, from arbitrary machines, should have no reason to access mounted homedirs, and the users can still do local root.

    How is that hard?

    Don't want to automount? Add a line to /etc/fstab.

    The whole super custom complex setups, the kind you're digging yourself a into hole for, are the #1 cause for:

    1. Hard to troubleshoot problems/issues.
    2. Poorly performing infrastructure.
    3. Security vulnerabilities.
    4. Networks that are hard to make redundant.

    KISS

    • The problem is that that solution doesn't address the.. somewhat unreasonable needs he has. Specifically:

      1. He wants to run NFS.
      2. Users have local root access.
      3. He doesn't want them to be able to access network shares they shouldn't have access to.

      Those issues are hard to rectify when they're all placed to together.
    • Wait, you're advocating NIS as a way to avoid accidentally creating security vulnerabilities?

      Yeah, I guess introducing them on purpose is one way to avoid accidents...
      • I understand where you're coming from with NIS(+) being pretty shitty, I should have just stressed some sort of centralized UID/GID system.
  • It's standard to squash root unless absolutely necessary and absolutely trusted, and can't root be remapped to another user for network file system access anyway for those people that spend far too much time as root?

    Really, comparing windows file sharing to NFS and mentioning the word "security" - is the article a troll by someone trying to score points for MS or is the question being asked before reading even the man page?

    Both NFS and CIFS/SMB do have serious issues that prevent them from being used on a

    • I think if you read some of the other posts, you'll get this point... but NFS using AUTH_SYS RPC authentication (as opposed to rpcsec_gss) provides literally NO file security. Yes, you can sqaush root or map it to another UID. But without giving up a lot of functionality (supplemental groups for example, using the solution suggested above about all_squash,anonuid=xxxx,anongid=yyyy) any user with root access on a client can do:

      $ su -
      # su - someuser

      And have all access as 'someuse
      • any user with root access on a client can do ... su - someuser

        Obviously, but if you can't trust them to be any user on the machine then they shouldn't have root - and at the most basic level the /etc/exports file limits access by machine to only those machines that should be permitted to connect to the filesystem. It does require clearly defined administrative limits of where different users should be allowed to go and either full awareness of where those users will work or users well practiced in using ss

  • After using plan9, when I cam e back to *nix I thought that file access of the network would be a breeze. How wrong I was. Mind you, I was used to writing 9fs remote_9p_machine and it all being done. Even mounting a *nix box into plan9 follows the same pattern : srvssh nix_box

    Unix is written for One Big Server with network services. Exposing the file systems across the LAN is a very unfunny joke and that's why people end up sticking with Samba!

  • First of all, go LDAP with TLS for your authentication. NIS is an insecure hunk of junk. Really, really insecure. Second of all lose the rsync between servers, if you're not using rsync via SSH that's insecure as well. Next drop the NFS. Once again, insecure. If you have no choice, use root_squash, but you're only fooling yourself into thinking there is security. None of the file transferred across the network are encrypted. If someone has root on the box, they can do whatever they want as far as ch
  • Maybe this is naive (Score:3, Informative)

    by hey! ( 33014 ) on Sunday March 26, 2006 @09:46AM (#14997653) Homepage Journal
    but perhaps you'd do better talking to a Novell sales rep than Slashdot? I mean this is their core business after all, and if Linux is a requirement, they are a Linux vendor.
  • by canuck57 ( 662392 ) on Sunday March 26, 2006 @07:44PM (#14999789)

    How do you set up mounting directories that is easy to use like Windows -- everything automounted, but security settings are still respected for each user, even when local roots are involved?"

    For directories the use of auto mount functions is best.

    But as the title of this suggests - root is root is root ...

    It is generally overstated 100% of the time that many users need local root for anything. They should be using "sudo" if they need to cancel print jobs, or add users. Indiscriminate delegation of root is insecure and a bad practice. Please examine the "local" need for root, I think you will find it is not needed. The sudo config file can also be rsync'ed.

    In fact, in my environment UNIX Admins don't have the root password except for 2. The other admins use sudo to a shell. Users use sudo for printer management. The "identity management" uses sudo. Even when users want to mount directories they use sudo. Want to shutdown the machine or make backups, use sudo.

    Only trusted and a few admins get interactive command line access as root.

    I do concede, Windows is easier as in fact almost everything with the system runs as the admin including the users. Down right insecure. And can't be made secure and still run. UNIX/Linux is not this way but takes some rational thought.

    Over NFS, consider keeping the nosuid/non-root access. Consider using groups to control access. So if a normal user ID has membership in group1, and the directory is read-write to group1 they have access. You might say, users who create files in this directory don't set the groups right... then you need to support the setgid bit on directories and umask settings. scrimant delegation of root is isecure and a bad practice.

  • Generally, we give most engineers local root on their machine if we trust them; it lets them do certain adminish tasks to their local machine. However, we encourage them to use it very very rarely; those unsuited to this privileges generally lose it.

    Most user data is NFS supplied and not root-enabled. This causes almost no problems.

    Can you describe in detail what your users need (or expect, generally a larger list).

    Root power is surprisingly rarely needed if your setup is good. Without details, your i

  • mounting of server directories can only effectively be done with NFS, which is a problem with security because some people really need local root.

    Welp, mod me redundant if I missed it but I just all the posts and didn't see the obvious answer...
    When sync'ing the user info tweak your script to set the user number to zero on the workstations (or whatever the "local" machine is).
    That way username can be "joebob", and user joebob (with a non-zero id) has restricted ri
    • "but locally (with a zero id) user joebob is equivalent to root."

      Including the ability to change user IDs?

      Note that the danger here is not root access to the NFS mount. That can easily be prevented. The danger is that someone will spoof another user and get access to their data. If NFS is relying on the local machine to authenticate the user, then the user can't be given root and limited in their actions on the NFS mount.

      As someone else pointed out, NFS is not the right tech for this problem. They need
  • Study NIS, NFS and automount. These form the holy trinity on which Sun built its huge success in the 80s.
    • NIS on Unix is like domain controller concept on Windows. Nowadays there are LDAP based information services but the concept remains identical. One central administration of all users and all information available over the network.
    • NFS on Unix is like SMB file sharing on Windows.
    • automount on Unix is like automated Windows drive mapping. Only much better.
    • For user controlled mounts, read fstab(5), moun
  • You may be interested to know that as of kernel 2.6.16, nfs now supports 1mb read/writes, previously it was only 64kb. This brings it inline with Solaris (if you have any solaris boxes on the network) and will help reduce the protocol & context switch overheads.

    Haydn.

"There... I've run rings 'round you logically" -- Monty Python's Flying Circus

Working...