Networked filesystem with user level security for linux

linux nfs webdav webdavfs openafs

Solution 1:

I am not sure I fully understand:

"I don't want to rely on machine trust like in NFSv4 because client users will have root privileges."

If you mean the client users will have root privileges on the client and you don't want them to have root on the host then you just don't use the "no_root_squash" option. You can also do things like disabling setuid to help reduce the risk to the client from the server as well.

You also have the option to use kerberos with NFSv4, see this link.

So in other words, NFSv4 might give you the security you need while being a little bit more ... (scalable?) .. the using sshfs everywhere. It still might not be what you want, but I wouldn't give up on it too soon.

Solution 2:

With Kerberos, only the kdc server grants authentication tokens. A client machine by itself can only authenticate as a host (and that is if you give it the keytab to a matching nfs/client-hostname@REALM principal), and that only gives it the right to talk to the nfs server. It's the users who have the ability to authenticate, and the nfs server only authorizes them to access their own files. With sec=krb5p the server prevents snooping and alteration as well.

Being root won't give your users inappropriate privileges. The only way they'd get access to more files is by hacking each other's machines, hacking the nfs server or the kdc. NFSv4 with Kerberos fits your security requirements well.

Here is more on the security model:

  • Designing an authentication system: a dialogue in four scenes

If you're looking at a deployment, here are some debian/ubuntu centric tutorials. I picked simple setups without LDAP. These distributions have debconf-based configuration that gets you some of the way there.

  • Setting up Kerberos (note the fqdn requirements).
  • Setting up NFSv4

My additions: you don't need to specify a des-cbc-crc enctype, but you need to allow_weak_crypto in krb5.conf so that the communication protocol can use des-cbc-crc for stream encryption. This will become unnecessary in 2.6.35 kernels.

If you're looking at something appliance-like, there is FreeIPA.

Related

SSH hangs when executing command remotely
SNMP - What are .mib files used for, and why are there many of them for a single printer?
rsync via cron. How do I enable logging?
Why my laptop sends ARP request to itself?
Does the use of a POS terminal mean I need PCI DSS compliance?
Enable downloads and disable IE ESC on Windows Server 2008 (and R2)?
Setup of HP ProCurve 2810-24G for iSCSI?
Entering people's email addresses in AD attribute
JavaScript override methods
Python: "subject" not shown when sending email using smtplib module
Spring data JPA query with parameter properties
Number of Downloads in Google Play