LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-23-2009, 02:07 AM   #1
govert
LQ Newbie
 
Registered: May 2005
Posts: 28

Rep: Reputation: 0
Samba vs. NFS - security


I have managed to set up both samba and nfs on my ubuntu machine, so I have a slight feel for how both samba and nfs work with regards to seurity.

However, I would appreiate if someone more with more knowledge could summarize the main security issues with nfs and samba.

Which one is better, if you follow best practice?

As an example, samba-server requires some kind of authorization, while nfs doesn't. Does that matter?
 
Old 06-23-2009, 06:19 AM   #2
jsteel
Member
 
Registered: Mar 2007
Location: England
Distribution: Arch
Posts: 392

Rep: Reputation: 34
I hear NFS has a reputation of being insecure, but I don't think that is true. I think that it can be insecure if not set up correctly (mainly with permissions).

If I were you I would use NFS unless you are planning on having any Windows computers connecting in the future. Have a search for an article/tutorial related to NFS security.
 
Old 06-23-2009, 06:44 AM   #3
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
NFS has several deficiencies that make it less than adequate in a file server role. It is insecure in that all file transfers are transmitted in cleartext - not any more insecure than samba, IMO.

There are other problems with NFS though and should be avoided as a best practice unless there's a requirement for it and even then, it must be only used in a trusted, highly controlled environment.

I like to use FUSE where possible or samba as a backup.
 
Old 06-23-2009, 01:18 PM   #4
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
I was looking around for a clear explanation of the issues I had heard recently about NFS and found http://forums.whirlpool.net.au/forum...0629#r10990629 . That matches a discussion that occurred at our weekly sysadmin meeting about a month ago. One of the other departments uses NFS extensively, and there was a discussion concerning what to do about connections from laptops if you allow people to bring in their laptop from home. They have root on their laptop. That, in essence, ends up giving them root access on the share on the server if they know how and then try. The conclusion was that that department really ought to migrate away from NFS.

We use samba on Solaris for both file shares and print server access, and even Mac users connect with smb. A number of people in our department have argued that smb is more reliable than afp on MacOSX. We don't use NFS.
 
Old 06-24-2009, 03:00 AM   #5
govert
LQ Newbie
 
Registered: May 2005
Posts: 28

Original Poster
Rep: Reputation: 0
Thanks

This is for my home LAN where I control both ends, so I'll stick with NFS for the moment but move to samba eventually, if I get it to work as good as nfs.

Right now - on my test-samba-share - It looks like I have problems with paths containing nonstandard letters such as .

But that's for a different post.

...unless someone has any pointers ... ;-)
 
Old 07-13-2009, 04:24 PM   #6
ricstirato
Member
 
Registered: Jan 2004
Location: Gieen, Germany
Distribution: Xubuntu 12.04, Mythbuntu, Ubuntu Server 12.04
Posts: 174

Rep: Reputation: 24
Quote:
Originally Posted by govert View Post
Right now - on my test-samba-share - It looks like I have problems with paths containing nonstandard letters such as .

But that's for a different post.

...unless someone has any pointers ... ;-)

Try to set the following parameters in smb.conf:

unix charset
dos charset


Regarding NFS vs. SMB: NFS (v3) trusts machines, SMB trusts users (assuming reasonable configuration).

Think of the following scenario:
- You have a NFS server allowing export to all hosts in the local subnet (like 10.0.0.0/255.0.0.0).
- You also have a DHCP server.
- Some bad guy connects to your LAN (worst case from outside the building using WLAN) and of course gets an IP address via DHCP
- He can now mount your exports as he has a trusted IP address
- File and directory permissions are checked using the user/group ids, not the names. So if you have a user "goodguy" with permission to access all exported files and this user has id 500 (very common ... most distros start from 500 or 1000 for the ids of regular users), he can simply use his local user "badguy" with id 500 to access all these files.
- Not to mention the no_root_squash option of NFS ...

Use NFS if you have this in mind and feel protected enough by other means.
 
Old 07-15-2009, 09:18 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
You may want to look at http://en.wikipedia.org/wiki/Sshfs
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS security problem --> too much power for root acb67 Linux - General 5 01-30-2011 05:49 PM
NFS server security jkmreyes Linux - Server 1 03-12-2008 11:24 PM
nfs security problems asyed25 Linux - Security 0 07-19-2007 06:35 AM
NFS security with /etc/hosts.deny supernode Linux - Security 8 10-22-2005 10:51 AM
NFS - Automount / Security Issues gene_gEnie Linux - Networking 0 02-08-2002 04:05 PM


All times are GMT -5. The time now is 04:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration