REPEAT: hasn't anyone used smbclient linux->linux?

Peter J. Holzer hjp at wsr.ac.at
Mon Nov 8 11:29:00 GMT 1999 

On 1999-10-21 23:05:07 +1000, Paul L. Lussier wrote:
> NFS isn't the most secure of protocols, but neither is SMB.  In fact, I'd say 
> that NFS is more secure than SMB,

I have to disagree with that. NFS[1] trusts the client machine almost
completely. This may be fine if you have complete control of all clients
and the network, but generally you haven't. If somebody has control of
a client machine (and everybody who has one at his desk, has control
of it), you have full access to all non-root files on all file systems
exported to that client. If the network infrastructure doesn't prevent
spoofing (and normally it doesn't), you can also impersonate other
client machines. NFS security only prevents people from accidentally
accessing other people's files, but if they want to, they can.

SMB security otoh is completely handled by the server. To access the
files of a user, you need to know his password. This may be easy to
obtain from a typical windows PC, but that's a weakness of software
which stores passwords to be user (and cracker) friendly, not of the
protocol (well, the protocol isn't as strong as it could be either, but
compared to NFS it is quite good).

> and it is a whole lot more stable.

Speaking about protocols, I doubt this. NFS is mostly used between Unix
boxes and SMB between Windows PCs, so I guess the general difference in
stability between Unix and Windows makes a difference. Also SMB also
handles a lot of other stuff besides file service (e.g., Name service),
which should better be left to specialized protocols.

> If you really that concerned about protecting your data from
> unauthorized access, you should probably consider using one of the ACL
> packages and combine that with an encrypted filesystem.

Won't help you if you still export that data via NFS.

	hp

[1] I am talking about "pure" NFS here. It may be possible to combine
NFS with Kerberos or some other cryptographic protocol to make it more
secure.

-- 
   _  | Peter J. Holzer             | Nobody should ever have to be
|_|_) | Sysadmin WSR / Obmann LUGA  | ashamed if they have a secret love
| |   | hjp at wsr.ac.at               | for writing computer programs that
__/   | http://wsrx.wsr.ac.at/~hjp/ | actually work.  -- Donald E. Knuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 371 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/19991108/4a6ccac8/attachment.bin

More information about the samba mailing list