The Unix-Haters handbook page 319

No File Security 287 is an exercise left to the reader.) But this hack doesn’t work over NFS. The stateless protocol doesn't know that the file is “opened” — as soon as the file is deleted, it's gone. NFS Hack Solution #3: When an NFS client deletes a file that is open, it really renames the file with a crazy name like “.nfs0003234320” which, because it begins with a leading period, does not appear in normal file listings. When the file is closed on the client, the client sends through the Delete-File command to delete the NFS dot-file. Why the hack doesn’t work: If the client crashes, the dot-file never gets deleted. As a result, NFS servers have to run nightly “clean-up” shell scripts that search for all of the files with names like “.nfs0003234320” that are more than a few days old and automatically delete them. This is why most Unix systems suddenly freeze up at 2:00 a.m. each morning—they’re spinning their disks running find. And you better not go on vacation with the mail(1) program still running if you want your mail file to be around when you return. (No kidding!) So even though NFS builds its reputation on being a “stateless” file system, it’s all a big lie. The server is filled with state—a whole disk worth. Every single process on the client has state. It’s only the NFS protocol that is stateless. And every single gross hack that’s become part of the NFS “stan- dard” is an attempt to cover up that lie, gloss it over, and try to make it seem that it isn’t so bad. No File Security Putting your computer on the network means potentially giving every pim- ply faced ten-year-old computer cracker in the world the ability to read your love letters, insert spurious commas into your source code, or even forge a letter of resignation from you to put in your boss’s mailbox. You better be sure that your network file system has some built-in security to prevent these sorts of attacks. Unfortunately, NFS wasn’t designed for security. Fact is, the protocol doesn’t have any. If you give an NFS file server a valid handle for a file, the server lets you play with it to your heart’s content. Go ahead, scribble away: the server doesn’t even have the ability to log the network address of the workstation that does the damage.

288 NFS MIT’s Project Athena attempted to add security to NFS using a network security system called Kerberos. True to its name, the hybrid system is a real dog, as Alan Bawden found out: Date: Thu, 31 Jan 91 12:49:31 EST From: Alan Bawden alan@ai.mit.edu To: UNIX-HATERS Subject: Wizards and Kerberos Isn’t it great how when you go to a Unix weenie for advice, he never tells you everything you need to know? Instead you have to return to him several times so that he can demand-page in the necessary infor- mation driven by the faults you are forced to take. Case in point: When I started using the Unix boxes at LCS I found that I didn’t have access to modify remote files through NFS. Knowledgeable people informed me that I had to visit a Grand Exalted Wizard who would add my name and password to the “Kerberos” database. So I did so. The Grand Exalted Wizard told me I was all set: from now on whenever I logged in I would automatically be granted the appropriate network privileges. So the first time I tried it out, it didn’t work. Back to the Unix-knowl- edgeable to find out. Oh yeah, we forgot to mention that in order to take advantage of your Kerberos privileges to use NFS, you have to be running the nfsauth program. OK, so I edit my .login to run nfsauth. I am briefly annoyed that nfs- auth requires me to list the names of all the NFS servers I am plan- ning on using. Another weird thing is that nfsauth doesn’t just run once, but hangs around in the background until you log out. Appar- ently it has to renew some permission or other every few minutes or so. The consequences of all this aren’t immediately obvious, but everything seems to be working fine now, so I get back to work. Eight hours pass. Now it is time to pack up and go home, so I try to write my files back out over the network. Permission denied. Goddamn. But I don’t have to find a Unix weenie because as part of getting set up in the Ker- beros database they did warn me that my Kerberos privileges would expire in eight hours. They even mentioned that I could run the kinit program to renew them. So I run kinit and type in my name and pass- word again.

Previous Page Next Page

The Unix-Haters handbook Page 319 (319 of 360)

The Unix-Haters handbook resources

Help