On Tue, Aug 27, 2002 at 10:25:08AM -0700, Allen, Pat wrote:
Hi all,
I hope that this isn't too obvious a question but here goes....
I'm wondering how people are handling NFS security in environments where you have a lot of Mac OS X or Linux computer systems. For ease of administration, I would love to be able to specify that any computer within our network has read access to various qtrees. But this opens up a can of worms in that anybody with root access on their local Mac or Linux box can spoof user accounts with legitimate UID's and GID's. This essentially gives away the keys to the kingdom.
Don't export with root privs at all then.
The other obvious alternative is using netgroups but that would be a lot of administration as machines come and go. It's certainly better than opening up access to everybody but not a course that I'd like to take.
Force them to use authenticatin and export via CIFS or something instead.
Are there any other alternatives that I'm missing? Thanks!
As I said, turn off the root to root mapping, only export items read only that they need, anything else should be via authenticated login, which CIFS supports and both Linux and OS X can do.