Slashdot Mirror
Understanding NFS
LiquidPC writes: "ONLamp.com's Big Scary Daemons section has yet another great new BSD article, this one on Understanding NFS and using it in FreeBSD."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Here's a printer and human friendly version, for those of you, who don't like half-screen animated ads inside the text you try to read.
~shiny
WILL HACK FOR $$$
Second, if you export NFS to the world, you're insane and deserve what you get. If you want remote filesystem access, use a secure protocol like the Self-Certifing Filesystem (SFS). SFS also avoids completely the problem of having a shared UID space.
Finally, his advice to mount your filesystems intr is good. But insufficient - also mount them soft, so that filesystem calls will eventually timeout if the server goes poof.
I don't think this article qualifies as "understanding nfs". NFS is a hairy beast, and all this does is get you started from the userland point of view. What makes nfs so hairy is the numerous ways it can fail or at least not do what you expect.
-Peter
== Just my opinion(s)
There is already stuff about NFS! The NFS HOWTO can be found at http://nfs.sourceforge.net/nfs-howto/
For the Windows clients, I just use Samba . It gets the job done quite well, though to use encrypted passwords you do have to maintain a separate password file for it. It does have a facility to sync the *nix passwd file to its own, though.
For the other problem, you should look into the root_squash option.
WMBC freeform/independent online radio.
As someone else has already mentioned, you could use the Self-certifying File System .
:), I'd stay away from it.
You could also establish an encrypted tunnel between the two machines using whatever implementation of IPSEC they have (Linux has FreeSWAN, OpenBSD has something built into the kernel, not sure about others). Then you could share stuff however you wanted.
We're currently using NFS to share our MP3 collections on our private network (behind the firewall/gateway), and it's not a big problem there. But for any network I don't trust (and I'm not very trustworthy
WMBC freeform/independent online radio.
Just a tip... by default, FreeBSD uses conservative NFS mounting options. Note that these work well when trying to interoperate with other Unixes; everybody speaks the lowest common denominator. You can use mount options to augment NFS performance but reduce interoperability somewhat. These options aren't necessary when you're working with one or two clients, but as your NFS installation grows, you'll find them helpful. They may or may not work with other operating systems; it depends on what those OSs support.
NFS has a long history of insecurities.(Link takes a little while to load...)
Also in the article he claims: "You can reboot a server and the client won't crash." Maybe not crash but at least with Solaris (in my experience) you hang the entire system during the reboot. Sometimes it comes back and sometimes it doesn't.
For a secure alternative that runs on *BSD/Solaris/Linux w/(2.4 Kernels) try out:
Self-Certifying Filesystem.
The authors do warn that it is in alpha stage but also claim they have never lost a file. VERY cool project.
And of course as the OpenBSD Journal has noted, SysAdmin Mag is running an article on Tunneling NFS over SSH.
Comments about /etc/exports... /etc/exports would be incompatible with that from any other Unix."
/etc/exports? Of course you can have seperate directories from the same partition on different lines!! In the man page they have an example of it! Plus there is this comment lifted directly from the FreeBSD 4.5 man page for /etc/exports.
"There are no identifiers between the components of the line. Yes, it would be easier to read if we could put each shared directory on its own line, but we can't; they're all on the same partition. The FreeBSD team could rewrite this so that it had more structure, but then our
What?!?! Did this guy even read the man page for
"Mount points for a filesystem may appear on multiple lines each with different sets of hosts and export options."
Michael's articles are usually of excellent quality, but I can't believe how many other mistakes he's made! The article is written to familiarize a "junior" sys admin to NFS, but only teaches them bad habits. Hopefully he'll do a little more research for his future articles.
I agree securing NFS is a hard problem in a hostile environment. Basically, NFS is wide open if you managed to root one machine. A group of my friends at university used to boot machines using linux bootdisk. Then, mimics other guys UID, IP etc to fool the NFS server. If you gain root after login, a clue-up sysadmin should be able to track you down... Boot floppy is the killer here. Well, you can say the computer guys should disable floppy booting option in BIOS. But, they cannot really do much as some student need to boot with floppy occasionally (we are in CSE).
Simple tricks no longer works when we switched to something more secure, AFS , in our case.... It is way more advanced than NFS. For example, as a normal user, I can authorise only a few trusted person to have access to one of my designated subdir.
I haven't had any SFS problems for over 6 months, since 0.5i. But the notice is correct - your mileage may vary, and use with caution. I've seen SFS tickle bugs in the Linux NFS implementation, but the latest Linux NFS support is much improved over 2.2. On Open/FreeBSD, it's quite solid, IMHO.
For further info, browse the SFS-users mailing list. It's a good way to get a feel for the issues involved in running SFS.
(Obligatory disclosure: I'm not one of the developers, but my office is across the hall).
For those who are interested in a more secure NFS, i found an interesting article about encypted NFS (via openssh) It's a good read, and really interesting! Unfortunately it's written for Linux, but it's easy to adapt it to *BSD. Check it out here!
Life sucks.