No File Security 289
But Unix still doesn’t let me write my files back out. I poke around a
bit and find that the problem is that when your Kerberos privileges
expire, nfsauth crashes. OK, so I start up another nfsauth, once again
feeding it the names of all the NFS servers I am using. Now I can
write my files back out.
Well, it turns out that I almost always work for longer than eight
hours, so this becomes a bit of a routine. My fellow victims in LCS
Unix land assure me that this really is the way it works and that they
all just put up with it. Well, I ask, how about at least fixing nfsauth so
that instead of crashing, it just hangs around and waits for your new
Kerberos privileges to arrive? Sorry, can’t do that. It seems that
nobody can locate the sources to nfsauth.
The Exports List
NFS couldn’t have been marketed if it looked like the system offered no
security, so its creators gave it the appearance of security, without going
through the formality of implementing a secure protocol.
Recall that if you don’t give the NFS server a magic cookie, you can’t
scribble on the file. So, the NFS theory goes, by controlling access to the
cookies, you control access to the files.
To get the magic cookie for the root directory of a file system, you need to
mount the file system. And that’s where the idea of “security” comes in. A
special file on the server called /etc/exports lists the exported file systems
and the computers to which the file systems are allowed to be exported.
Unfortunately, nothing prevents a rogue program from guessing magic
cookies. In practice, these guesses aren’t very hard to make. Not being in
an NFS server’s exports file raises the time to break into a server from a
few seconds to a few hours. Not much more, though. And, since the servers
are stateless, once a cookie is guessed (or legitimately obtained) it’s good
forever.
In a typical firewall-protected network environment, NFS’s big security
risk isn’t the risk of attack by outsiders—it’s the risk that insiders with
authorized access to your file server can use that access to get at your files
as well as their own.
Since it is stateless, the NFS server has no concept of “logging in.” Oh
sure, you’ve logged into your workstation, but the NFS server doesn’t