topic Re: NFS Client root access problem in Operating System - HP-UX

NFS Client root access problem

Alex_santa — Fri, 05 Dec 2008 17:06:27 GMT

Hi;

I am installing a serviceguard cluster to be used with SAP in HPUX 11iv3.

One requeriment for SAP is to create an NFS Server Package and use the automount client
on each cluster node to share some directories.

My problem is that the NFS Package share the File systems, each client node can automount these file systems, the nodes that don't own the package have root access permissions.

But the node that owns the package doesn't have root access permissions and writes files
with the user nobody. In the configuration i
specified root access permissions for all nodes in the cluster.

When i moved the package to another node, always is the same situation with the node that owns the package.

Best Regards;

Alexander

Re: NFS Client root access problem

skt_skt — Fri, 05 Dec 2008 17:45:51 GMT

try eporting root=xxx

#exportfs -i -o root=client1:client2 /fs/name

Re: NFS Client root access problem

john123 — Fri, 05 Dec 2008 17:58:46 GMT

Hi..,

As mentioned above exporting with root=client option should work ..

Re: NFS Client root access problem

Alex_santa — Fri, 05 Dec 2008 19:00:15 GMT

Hi;

In the serviceguard package I did the export with the following option:

"-o root=node1,root=node2" file_system

It works fine with the node that doesn't own the NFS package, but with the node that owns the package it didn't get the root privileges.

Regards,

Alexander

Re: NFS Client root access problem

Andres Stickar — Sat, 06 Dec 2008 02:55:44 GMT

In the export options, you have to add the package hostname or the relocatable IP address.

OPTIONS -root=node1,node2,nfs_reloc ....

where nfs_reloc is the name of the NFS package.

If you have a db package and a ci package, you must add both.
Is sane to add all the IP addresse, or names the machings may have.

Hope ths help you

Re: NFS Client root access problem

Dave Olker — Sat, 06 Dec 2008 03:42:09 GMT

> "-o root=node1,root=node2" file_system

That syntax is incorrect for a root= list. The syntax is:

-o root=node1:node2:node3

Also with 11i v3 the systems in the root= or rw= lists need to be fully-qualified names.

Regards,

Dave

Re: NFS Client root access problem

Dave Olker — Sun, 07 Dec 2008 19:48:59 GMT

Hi Alexander,

By adding the "anon=0" option you're effectively allowing the root user on *EVERY* NFS client that mounts this filesystem to have root privileges on the shared filesystem. Is this really what you want? Or are you trying to limit the specific NFS client systems that are allowed to behave as root in that filesystem?

If you want/need to restrict root access to a small group of systems then the "root=" option is the way to do it. If you're having problems getting the syntax right let me know and I'll help. But opening up the filesystem to all root users can be potentially dangerous - especially if there is not an accompanying rw= list.

Regards,

Dave

Re: NFS Client root access problem

Dennis Handly — Sun, 07 Dec 2008 22:56:25 GMT

>Dave: By adding the "anon=0" option you're effectively allowing the root user

Isn't it worse than that? I.e. every unknown user is root.

Re: NFS Client root access problem

Dave Olker — Mon, 08 Dec 2008 07:24:42 GMT

Hi Dennis,

> Isn't it worse than that? I.e. every unknown user is root.

Ok, but what's an "unknown" user? My understanding is an unknown user is effectively someone with a UID that is outside the known range. I wouldn't expect that a user that is not configured on the server will get root access.

In other words, if you have a user with a UID of 2000 on an NFS client but this user is not configured on the server (i.e. no entry in /etc/passwd, NIS, NIS+, LDAP, or whatever name service used for passwords) any file created by this user will show up with UID=2000. Just because the server doesn't have a mapping for user 2000=joe doesn't mean user 2000 should get root access.

It's been my experience (but I could be wrong) that only root users - or possibly some PC-NFS users, are mapped to the anon value.

If your experience is different please let me know.

Thanks,

Dave

Re: NFS Client root access problem

Dennis Handly — Tue, 09 Dec 2008 01:06:52 GMT

>Dave: but what's an "unknown" user?

Yes, that's the question.

>if you have a user with a UID of 2000 on an NFS client but this user is not configured on the server, any file created by this user will show up with UID=2000.

Yes, that's what happens.

Re: NFS Client root access problem

Dave Olker — Tue, 09 Dec 2008 03:03:48 GMT

So in that example, the user with UID=2000 is not an unknown user. He is uid=2000 and his files get created with 2000. He doesn't take on the anon=0 value.

To my knowledge, the only users who take on the anonymous value are root users and PC-NFS users that are unauthenticated.

Re: NFS Client root access problem

Alex_santa — Fri, 12 Dec 2008 16:50:41 GMT

Dave, Dennis;

Considering what you mentioned:

-It is possible that i will have some security risk if I use the anon=0 option?

I am going to recheck the sintax of my configuration because my first consideration was to use the root=node option to give access to the NFS clients.

Best Regards;

Alexander.

Re: NFS Client root access problem

Dave Olker — Fri, 12 Dec 2008 16:56:18 GMT

Hi Alex,

If security is one of your concerns then sharing filesystems with "anon=0" is one of the worst things you can do. That syntax allows the root user on every NFS client to access files on the NFS filesystem as if they were the root user on the NFS server. That's a very dangerous thing to allow from a security standpoint.

Creating an rw= list and a root= list is much safer as that determines which NFS clients are allowed read/write access to the filesystem and which clients are allowed root access.

Regards,

Dave