topic Re: Secure NFS in Operating System - HP-UX

Secure NFS

Victor_5 — Wed, 10 Apr 2002 12:33:02 GMT

How can I know whether I am using secure NFS on my 11i box? Which files I need to take a look?

Thanks!

Re: Secure NFS

Robert Gamble — Wed, 10 Apr 2002 12:52:37 GMT

Victor,

Do you mean 'Secure RPC' ? If so, check out the following HP Manual: http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B1031-90048/B1031-90048_top.html&con=/hpux/onlinedocs/B1031-90048/00/00/25-con.html&toc=/hpux/onlinedocs/B1031-90048/00/00/25-toc.html&searchterms=NFS%7csecure&queryid=20020410-065840

Good Luck!

Re: Secure NFS

Helen French — Wed, 10 Apr 2002 12:54:52 GMT

Hi Victor:

Check these threads:

http://forums.itrc.hp.com/cm/QuestionAnswer/0,,0xe5faa14d9abcd4118fef0090279cd0f9,00.html

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xb48f663ce855d511abcd0090277a778c,00.html

HTH,
Shiju

Re: Secure NFS

Jeff Schussele — Wed, 10 Apr 2002 12:56:38 GMT

Victor,

Secure NFS is not supported by HP-UX - see the following:

http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B1031-90048/B1031-90048_top.html&con=/hpux/onlinedocs/B1031-90048/00/00/25-con.html&toc=/hpux/onlinedocs/B1031-90048/00/00/25-toc.html&searchterms=NFS%7csecure&queryid=20020410-070235

Although secure RPC is.

HTH,
Jeff

Re: Secure NFS

David Lodge — Wed, 10 Apr 2002 20:06:04 GMT

NFS is not secure *at all* on HP-UX. Avoid it. Like the plague...

Re: Secure NFS

Michael Tully — Wed, 10 Apr 2002 21:41:31 GMT

The best way to *secure* NFS is to not run it at all, and to remove the filesets of the server.

Re: Secure NFS

David Lodge — Thu, 11 Apr 2002 09:47:44 GMT

Having had a quick look at the threads pointed to above, I just wanted to make some points.

1) NFS is not *secure*. I really, really mean this.
2) If you *need* to run it (to be honest you shouldn't have any reason to) then make sure you do the following:
* restrict the export as much as possible in /etc/exports (using ro, nosuid, nodev ad nauseum)
* make the inode of the mounted directory as high as possible.
* use /etc/inetd.sec to restrict requests to rpc.mountd

You might have questions about the second recommendation, but if you understand how NFS works it makes sense; in a nutshell:
1. Client request permission to mount directory from rpc.mountd
2. Mountd checks /etc/exports to see whether it has permissions. If so it returns a file handle.
3. NFS client talks to NFS server to request files/meta data, *using the file handle*

Hence, if an attacker can snarf the file handle they can access all exported information.

Because of weaknesses in HP's NFS file handles it is relatively easy to grab a file handle - but this depends on the size of the inode of the exported directory - hence the higher up it is, the less the risk. (ie 2 is bad 56784943 is better)

dave (NFS is evil)

Re: Secure NFS

Victor_5 — Thu, 11 Apr 2002 12:19:44 GMT

Hi David:

You didnot answer my question, but you gave me clearer picture about NFS security, thanks for your professional explanation, so I assigned 7 points to you, really appreciate!