As an IT and Information Security administrator in the past and the present I’ve needed time and time again to find elaborate solutions to protect the company I’m in (several companies in the past) against threats from outside and from within (also against user’s mistakes or stupidity).
One of the main issues IT guys face are user permissions and specifically data access permissions.
For example, you don’t want a user to be able to see company bills, employee’s salaries and management documents.
One particular issue that has risen again and again in several companies I’ve worked for is the main storage handled with NFS.As some of you know the NFSv3 does not have extended permissions schemes for the connection (and NFSv4 is slow and not catching up)
The problem began when several IT guys and developers requested direct access to the data. The meaning is that they want a direct connection to the data.
Here are the problems:
- Most of the time people use Windows – and the servers are Linux – Permissions are not exactly compatible with these OS’s.
- Not all windows support NFS.
- User with Linux desktop has root – small mistake without root squash will be disastrous.
- NFS has no permission scheme thus when you allow IP to connect to the volume any computer that has this IP can access your storage.
Possible solutions (yet not good):
- Allow NFS access – Bad, very Bad!
- Use NFS with CIFS (or samba) – This is a good solution, it can provide the CIFS permissions (especially with active directory/ldap) in windows desktops and NFS for the servers.
The main issue with this solution is the mapping of user permissions so that what was written in the CIFS will be accessible to the NFS and vice-versa (I can talk days about the issues it had given me in the past).
Also it is important to mention – some big name NAS vendors don’t support this function (and if they do it’s clunky at best).
- Use NFSv4 – this might work but can give you a performance problem and windows doesn’t support this from the box.
- SFTP/FTP – this solution is the best for the IT guys but the worst one for the users.
With FTP you can grant users the access to the data while maintain the correct permission scheme and mapping the user permissions to the correct ones in the storage.
But the user experience with FTP is not that good and it’s not easy to work on files like that.
A few months ago I’ve had the same dilemma about granting access to a developer. He wanted to access his own directory from windows. (We had a Linux development server so the users can write code and test the environment).
His home directory was of course NFS share and he wanted an access to it from his windows machine so he could process files without the need to copy them back and forth from the server with FTP.
As an IT and Information Security in the company I coudn’t give him an access via NFS and our NAS didn’t support CIFS.
The solution I’ve found was simple and effective: SshFS.
Now if the users have been using Linux this was even easier – but fear not, SshFS for windows exist and it’s working fine.
Here is the project: http://linhost.info/2012/09/sshfs-in-windows/
Why this solution is good:
- IT guy (me) didn’t have to do anything.
- SshFS access allow the user to access his own user in the linux thus maintaining the permission scheme.
- Users can open files and process them directly from his workstation without the need to copy the file first.
- Security wasn’t breached because no change to the storage or servers was implemented.
This solution was elegant and fast – I’m now using this software to control my own project when I can’t access fast GUI connection to my servers.
And what about you? What do you think about that solution?