On Thu, Jul 25, 2002 at 01:07:19PM -0500, Dast wrote: > So my question is, is it safer to host the NFS from the DMZ and > mount remotely on machines in the internal network, or host the NFS > from a machine on the internal network and remotely mount in the > DMZ? Or does it matter?
I suppose it depends on what sort of activity you need to do over the NFS mount. Whoever gets root on an NFS client effectively gets access to both root-owned and user-owned files on the NFS share, whether directly or via su. Whoever gets root on the NFS server can obviously mess with the clients pretty heavily. With a non-compromised server in the internal network, you do have the options to share the NFS area read-only, and/or squash root access to be identical to some unpriveleged user. So if the need for NFS access is something along the lines of needing access to files in people's public_html directories for web serving, I'd put the NFS server on the internal network, share out /home as read-only and let each user manage their permissions in the public_html directory. Perhaps a better solution would be to put all user web files into a single tree outside their home, and only share that area. Having no idea what you intend to do with the NFS mount, I'll refrain from further examples. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
