On Wed, Dec 06, 2017 at 09:04:39PM +, Simon Hobson wrote:
> Yevgeny Kosarzhevsky wrote:
>
> > Ok but this is not about NFS but about any FS that can be accessed over
> > network.
>
> It may help to point out something that I didn't spot when I first came
> across NFS.
>
> With SMB, AFS, F
Le 06/12/2017 à 23:20, Steve Litt a écrit :
On Tue, 5 Dec 2017 01:14:12 -0800
Rick Moen wrote:
How NFS mount will make your system less secure?
I'm not going to argue. Study NFS.
In that case, what about running Samba Server on a Linux box, running
Samba clients on another, and having all s
On Wed, 6 Dec 2017 16:20:59 -0800
Rick Moen wrote:
> Quoting Steve Litt (sl...@troubleshooters.com):
>
> > On Tue, 5 Dec 2017 01:14:12 -0800
> > Rick Moen wrote:
> >
> > > > How NFS mount will make your system less secure?
> > >
> > > I'm not going to argue. Study NFS.
> >
> > In that cas
Quoting Steve Litt (sl...@troubleshooters.com):
> On Tue, 5 Dec 2017 01:14:12 -0800
> Rick Moen wrote:
>
> > > How NFS mount will make your system less secure?
> >
> > I'm not going to argue. Study NFS.
>
> In that case, what about running Samba Server on a Linux box, running
> Samba client
On Tue, 5 Dec 2017 01:14:12 -0800
Rick Moen wrote:
> > How NFS mount will make your system less secure?
>
> I'm not going to argue. Study NFS.
In that case, what about running Samba Server on a Linux box, running
Samba clients on another, and having all shares on the Samba Server
only allow
Yevgeny Kosarzhevsky wrote:
> Ok but this is not about NFS but about any FS that can be accessed over
> network.
It may help to point out something that I didn't spot when I first came across
NFS.
With SMB, AFS, FSoverSSH, etc, etc, etc the client authenticates to the server
as a specific us
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I have configured everything needed to boot using PXE using NFS as
root-filesystem at home some months ago:
http://dpa.li/pxeboot.mp4
I export the root filesystem of an lxc container read only using NFS.
It's really convenient, I can install and rem
Le 06/12/2017 à 12:55, Alessandro Selli a écrit :
On Wed, 6 Dec 2017 at 19:03:51 +0800
Yevgeny Kosarzhevsky wrote:
On 6 December 2017 at 06:54, Alessandro Selli
wrote:
Any good reason to refuse NFS in favor of those?
In short: no. Just be aware that NFS is as secure as the trusted networks
On Wed, 6 Dec 2017 at 12:09:43 +0100
Didier Kryn wrote:
> Le 06/12/2017 à 11:53, Alessandro Selli a écrit :
>> On Wed, 6 Dec 2017 at 11:38:25 +0100
>> Didier Kryn wrote:
>>
>>> Le 05/12/2017 à 23:54, Alessandro Selli a écrit :
On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
>>>
On Wed, 6 Dec 2017 at 19:03:51 +0800
Yevgeny Kosarzhevsky wrote:
> On 6 December 2017 at 06:54, Alessandro Selli
> wrote:
>
>>
>> > Any good reason to refuse NFS in favor of those?
>>
>> In short: no. Just be aware that NFS is as secure as the trusted networks
>> it
>> sits on. Any inside compro
Le 06/12/2017 à 11:53, Alessandro Selli a écrit :
On Wed, 6 Dec 2017 at 11:38:25 +0100
Didier Kryn wrote:
Le 05/12/2017 à 23:54, Alessandro Selli a écrit :
On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
[...]
Any good reason to refuse NFS in favor of those?
In short: no. Just be aw
On 6 December 2017 at 06:54, Alessandro Selli
wrote:
>
> > Any good reason to refuse NFS in favor of those?
>
> In short: no. Just be aware that NFS is as secure as the trusted networks
> it
> sits on. Any inside compromised machine can jeopardize the whole
> distributed
> filesystem.
>
Ok but t
On Wed, 6 Dec 2017 at 11:38:25 +0100
Didier Kryn wrote:
> Le 05/12/2017 à 23:54, Alessandro Selli a écrit :
> > On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
> >
> > [...]
> >
> >> Any good reason to refuse NFS in favor of those?
> > In short: no. Just be aware that NFS is as secure as
Le 05/12/2017 à 23:54, Alessandro Selli a écrit :
On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
[...]
Any good reason to refuse NFS in favor of those?
In short: no. Just be aware that NFS is as secure as the trusted networks it
sits on. Any inside compromised machine can jeopardize the
On 05/12/2017 at 11:46, Yevgeny Kosarzhevsky wrote:
[...]
> Any good reason to refuse NFS in favor of those?
In short: no. Just be aware that NFS is as secure as the trusted networks it
sits on. Any inside compromised machine can jeopardize the whole distributed
filesystem.
Alessandro
_
On 5 December 2017 at 18:16, Arnt Gulbrandsen
wrote:
> Yevgeny Kosarzhevsky writes:
>
>> I don't see that it will give lower security than any other FS in this
>> case.
>>
>
> Rick is trying to say: NFS has a poor reputation for accidental security
> misconfigurations. Something about the way NFS
Yevgeny Kosarzhevsky writes:
I don't see that it will give lower security than any other FS in this case.
Rick is trying to say: NFS has a poor reputation for accidental security
misconfigurations. Something about the way NFS is configured leads even
careful, clueful people to make configurat
Quoting Yevgeny Kosarzhevsky (phao...@gmail.com):
> For me NFS is helpful in cluster environments where each machine is a
> replica of another one and they share the same data.
It's terrific for that.
I used to construct HPC clusters of that general description when I
worked at VA Linux System
On 5 December 2017 at 17:14, Rick Moen wrote:
>
> By 'nougat security model', I meant a network security model that is
> fragile because of having no defence in depth, highly vulnerable in the
> interior and defended only at the borders. This is a very widespread
> problem, e.g., at many corpora
Quoting Yevgeny Kosarzhevsky (phao...@gmail.com):
> I don't know what's a 'nougat' security model, however I don't
> understand what you mean.
This was a semi-serious, semi-joke reference: Honestly, 'nougat' (orig.
from the Latin 'nux' meaning nut, arriving in English via Occitan and
then French
On 5 December 2017 at 14:21, Rick Moen wrote:
> Quoting Didier Kryn (k...@in2p3.fr):
>
> > the NFS connection across the world-wide Internet; it is always on a
> > LAN and, given this, I don't see how it can be insecure.
> ^^
> Ah, the 'nougat
Quoting Didier Kryn (k...@in2p3.fr):
> I heard that YP aka NIS was a horrible security threat. NFS is
> certainly not very secure either. But nobody considers establishing
> the NFS connection across the world-wide Internet; it is always on a
> LAN and, given this, I don't see how it can be insecu
Quoting k...@aspodata.se (k...@aspodata.se):
> Sun's Yellow Pages is called NIS since a long time ago.
And NIS is lately spelled 'LDAP'. ;->
NFSv4 is better and less gratuitously firewall-hostile than versions in
days of yore.
I still would carefully avoid exposing any NFS (what we traditional
Le 04/12/2017 à 20:30, Steve Litt a écrit :
Back in my youth, the wise men told me that NFS was a horrible security
threat unless you also used YP, which was too sophisticated for me to
ever figure out. So these days I use sshfs, which is nice, but slower
than a turtle dragging a railroad engine.
On 5 December 2017 at 03:30, Steve Litt wrote:
>
> Are a lot of you using NFS? Do you feel safe doing so?
>
Yes it happens in trusted networks. I don't see any additional security
threat in this case.
I also use it in some multiple virtual machines setup to minimize hard
drive usage.
It's also c
Steve Litt writes:
It appears you're using NFS.
Back in my youth, the wise men told me that NFS was a horrible security
threat unless you also used YP, which was too sophisticated for me to
ever figure out.
That's a long time ago and the world has changed.
Back then, the big problem was that
Steve Litt wrote:
> Back in my youth, the wise men told me that NFS was a horrible security
> threat unless you also used YP, which was too sophisticated for me to
> ever figure out. So these days I use sshfs, which is nice, but slower
> than a turtle dragging a railroad engine.
>
> Is NFS still
Steve Litt:
> On Mon, 4 Dec 2017 23:12:59 +0800
> Yevgeny Kosarzhevsky wrote:
...
> > ~# ldd /sbin/mount.nfs|grep usr
>
> It appears you're using NFS.
>
> Back in my youth, the wise men told me that NFS was a horrible security
> threat unless you also used YP, which was too sophisticated for me
On Mon, 4 Dec 2017 23:12:59 +0800
Yevgeny Kosarzhevsky wrote:
> Hello,
>
> I am unable to mount empty /usr on jessie. Is there any workaround or
> should I keep some files there?
> Or is there any build for libgssapi-krb5-2 to keep its files in /lib?
>
> ~# ldd /sbin/mount.nfs|grep usr
It appe
29 matches
Mail list logo
