Protecting Against Impersonation Using NFS



next up previous contents
Next: Secure NFS Up: Improving the Security Previous: Exporting Files

Protecting Against Impersonation Using NFS

As with the ``r'' commands, it is often easy to impersonate a user or an NFS client system in an environment where NFS is used. A superuser on a client workstation is able to impersonate any user. With the ``r'' commands, a user is impersonated by assuming the user's username. With NFS, a user is impersonated by assuming the user's userid.

One way of minimizing the risk of user impersonation with NFS is to only export a user's files to that user's personal computer or workstation. Very often in current network environments, each client system is the exclusive domain of a single user. This type of environment promotes better security with NFS since each NFS client is accessed by only one user and only that user's files need be exported to that user's system. Any other files needed by a user can be exported ``read-only'' to that user's system. Once an NFS client is able to mount more than one user's files, then the possibility exists for the superuser to impersonate any user on that NFS client and there is no easy way to protect against such impersonation.

If an NFS client is a workstation, then a user is authenticated and associated with a userid by logging into the workstation. If an NFS client is a personal computer, then the NFS client implementation on the personal computer provides some way for the personal computer user to be associated with a userid so that access control can take place on the NFS server. The personal computer user's authentication and association with a userid is sometimes implemented with a daemon called pcnfsd. This daemon runs on a server not necessarily an NFS server. The personal computer user is able to designate not only NFS servers from which files are mounted but also the server running pcnfsd which authenticates the user to the NFS servers. Herein lies the possibility of a personal computer user assuming the identity of another user. Again, the importance of only exporting a user's files to that user's system is illustrated.

It is possible to impersonate an NFS client in the same manner as impersonating an ``r'' command trusted host (see sec. 10.2.7). As in the case of the ``r'' commands, a significant danger here occurs when a legitimate NFS client is disabled, disconnected from the network, or turned off. It is common practice to power off a personal computer at the end of the day. Thus, a personal computer which is also an NFS client can present a problem with regard to impersonation. Server administrators should be aware that almost all client implementations of NFS on personal computers also support the ``r'' commands. Thus, a personal computer NFS client is almost always a potential ``r'' command trusted host.

Protection against NFS client impersonation is similar to protection against trusted host impersonation with the ``r'' commands as described in section 10.2.7. A daemon, which could be a shell script, runs on the NFS server and monitors (perhaps by simply using ping) the ``health'' of each NFS client. When a client does not respond, that client's files on the server are unexported, thus denying access. When the client comes back on line, its files are exported once again after the user is authenticated.

If the NFS client is a personal computer and user authentication is by means of the pcnfsd daemon, then pcnfsd can be modified (the source is available) to export the user's files when the user is authenticated and receives the userid. If the NFS client is a workstation, then a client command for ``pcnfsd'' could be readily implemented on the workstation or the user could log into the NFS server to run a command which exports his files.



next up previous contents
Next: Secure NFS Up: Improving the Security Previous: Exporting Files



John Barkley
Fri Oct 7 16:17:21 EDT 1994