I'm having a little debate with a fellow co-worker who states that running file level permissions as UNIX on a NFS Server( vendor NetApp) provides better security than if the NFS share (cifs) was set for NTFS ... most NFS Volumes  presented  in our environment are accessed by Windows servers.

What do you think ? I mean if someone has penetrated the network then whose to say that NTFS will add another layer to it.

asked 05/25/2010 05:28

cogit's gravatar image

cogit ♦♦

3 Answers:
If you're using Windows Networking it makes more sense to use CIFS on the Netapp since it integrates into active directory as a server and will allow users to access files with NTFS permissions.

Netapp does two different things, NFS is NFS and CIFS is CIFS.  The issue with having a strict NFS share is that unless you configure a NIS Server you don't have centralized account/permission deployment. Without NIS on NFS and the extra management you would have to manually set permissions/users, Active Directory works and with Kerberos authentication you have better control of your shares and permissions.
paulsolov's gravatar image


Another distinct difference between CIFS and NFS is that NFS controls share access by machine while CIFS can define share access by machine and user.  Once a file system is mounted the files and directories can be restricted on a user/group level by either system.

When you are accessing the same file system from both unix/linux and windows clients it is important to be aware of how permissions changes on one side affect access from the other.  It takes a little practice and experimentation to consistently get the result you want.
stevaleelee's gravatar image


there is no basic difference in security by itelf.

the problems with activating the windows compatibility options,
are a regular ls will not show all the access rights
and regular chowns and chmods, may not change them either

in order to see / set the actual privileges you must use getfacl /setfacl

this makes auditing next to impossible since the output of these commands is by design difficult to parse


if someone has penetrated the network and got access to one of the windows boxes, the problem really is elsewhere
whatever the setting, an attacker with reasonnable skills will connect as the user he wishes bypassing all the security

if you just want to prevent that malicious moderately skilled users do not toy with what they should not
and in that sole case, there may be a little difference


my sad advice would be that given the fact that mixing both types of permissions is a mess after some time in 99% of the cases,
but will definitely provoque inconsistencies really soon if you do not activate unix acls
you probably should go the easy way and activate them

if you want a real safe way, either stop mixing both types of security, or hard-configure unix rights on the server,
and do not give any user or machine the possibility to change access rights
skullnobrains's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 05/25/2010 05:28

Seen: 380 times

Last updated: 04/14/2011 10:45