Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

does anybody have shfs in use?


Best Regards,


Re: shfs

Quoted text here. Click to load it

I've played with it. It's awfully cute, and makes me itch to build chroot
cages for SSH users to prevent them from ounting "sshhost::/" remotely and
playing around.

Re: shfs

[ shfs ]

Quoted text here. Click to load it

Why do you want to prevent this?


Re: shfs

Quoted text here. Click to load it

Actually mounting remote filesystems via SSH makes those SSH server's local
files accessible to any local user on the SSH client in a way that an active
SSH session has not previously supported, in a way that SSH chroot cages for
casual SSH users would help protect against.

Not all sys-admins are smart enough to use shadow passwords and non-DES
passwords, leaving it possible for anyone with SSH access to run very
successful brute force cracking against the server's /etc/passwd file. And
because not all users are careful enough to keep their home directories set
to "user-only" access, or to use non-DES passwords and restrict read
permissions in .htpasswd files that are locally accessible in their web
repositories. And because there are easily a dozen other such attack
approaches which people are not sufficiently careful about, ranging from
syslogs to files kept in /tmp, including read access to MySQL databases
where user account informain may be stored, to read access to LDAP account
management databases.

I've also seen way, way too many systems where user's files are generally
accessible, either deliberately for NFS access as a matter of policy, or
because some inexperienced system adminastrator has created their own set of
user account creation tools which used "mkdir /home/username" without using
a "umask before that step or "chmod 700" after that step to prevent general
access to new accounts.

I could go on, but I think that addresses most of my concerns.

Site Timeline