2

AWS File Gateway seems to allow setting of UID/GID NFS permissions on shares and files in the gateway. This is great, but since there is no local user base stored on the gateway itself, it seems like, once authenticated (which seems to go against the client's user store, not some File Gateway user store), the UID and GID valued seem to be populated by the client, not the server. This invalidates any kind of security as far as I can tell. Anyone that knows a UID or GID for a share could set the local computer's UID/GID accordingly and gain access to that share with whatever password they want.

What am I misunderstanding here?

4

1 回答 1

1

我在这里有什么误解?

只是这一直是 NFS 的限制:客户端机器是受信任的。

NFS 中有一个内置假设,即对客户端计算机具有特权访问权限的用户是受信任的用户,因此任何用户都不会拥有具有冲突或未经授权的 UID/GID 的帐户。

在不是这种情况的环境中,您的观察是正确的……如果客户端计算机不可信,则基本 NFS 安全模型无法提供有意义的安全性。

于 2017-07-29T22:26:52.933 回答