Very clever! Thanks for the tip, I might just use it. As you said, it's not bulletproof, but it raises the level of difficulty and would hopefully dissuade the average miscreant.
Of course, highly preferable would be to use IPsec.
Re:
To: Brian Parent bparent@calvin.ucsd.edu Cc: toasters@mathworks.com Subject: Re: IPsec NFS to Unix clients Date: Fri, 20 Aug 2004 10:07:39 -0400 From: Steve Losen scl@sasha.acc.Virginia.EDU
Has anyone else come up with some alternate means by which to secure NFS exported data, where the server is a NetApp filer? (For years I've been losing the battle to get the physical network secure, using locking wall jacks in our public access labs.) I've been using NetApp file servers since 1995, and have been generally happy, but this security problem is making me seriously reconsider.
We came up with a pretty ugly hack to prevent folks from installing impostor NFS clients on a physically insecure network, such as in a student Unix lab. We were aware of the risk, but were finally motivated to do something when some little bastard (ahem, student) replaced a lab machine with his Linux laptop, so he was able to NFS mount the home directories, and because he had root on his laptop, he could su to any user and have read/write access to their home directory.
So here is what we did.
...[remainder elided]