[Techtalk] The Ark
Raven, corporate courtesan
raven at oneeyedcrow.net
Tue Feb 26 12:51:10 EST 2002
Heya --
Quoth Conor Daly (Mon, Feb 25, 2002 at 08:26:55PM +0000):
> I'd be inclined to say NFS is a pretty reasonable route. there's one
> caveat though; nfs will take forever to timeout if a machine is not
> available.
Yah. If you have connectivity problems or boxes occasionally
powered off on your network, NFS can be a real pain. We're literally
talking like a 20 minute timeout, like Conor said. Also, you have big
security issues with it if your local LAN isn't trusted and/or your NFS
client users have root on their boxes.
When you NFS-mount a drive, the NFS server basically just takes
your user from the client, and autheticates you as that user on the
server. If I have an NFS client on my machine, and I NFS-mount a drive,
I get raven's files. But if I have root on my local box and I know that
James uses the same NFS server, all I have to do is create the james
account on my local box, mount the NFS drive, and presto! I have
james's files.
There is a feature called root_squash that somewhat ameliorates
this problem, in that it won't allow "root" to authenticate as a client.
(Then you get all root's files!) Instead, it will make any "root"
connections get "nobody"'s files. That should be on for most NFS
deployments, but this still doesn't fix the above scenario.
Cheers,
Raven
"4, 5, and 6 got me to an old couple who answered the phone, 'Praise the
Lord.'...8 got me to a number that wouldn't let the call go through. It had a
telemarketer block on it, so it asked for my name and the company I was with.
I said "Stephen... Bush... Ravens of the Storm." They didn't pick up... 9 had
the same block. I said, with confidence this time, "Stephen Bush, Central
Intellegence Agency." An old man answered this one and when I asked for Raven
said narry a word and just the slightest harumph and hung up. It was then I
remember I was calling in and around DC and was doing it with the President's
last name."
-- Stef, trying to find my new home number
More information about the Techtalk
mailing list