HPE Community
Operating System - HP-UX
1752625 Members
4563 Online
108788 Solutions
New Discussion юеВ

11.31 NFS using FQDN in "share" command

 
SoorajCleris
Honored Contributor

тАО01-10-2010 04:56 PM

тАО01-10-2010 04:56 PM

11.31 NFS using FQDN in "share" command

Hi everyone

In reference
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1263170752116+28353475&threadId=1146006

I was just trying to findout the reason, why it happend like that. If we are using hosts file, then also do we need to use FQDN?

Becasue man share_nfs says that,


hostname
The name of a host. With a server configured for DNS or LDAP
naming in the nsswitch "hosts" entry, any hostname must be
represented as a fully qualified DNS or LDAP name.



command line used, ( with out using FQDN it was not working)
# share -F nfs -o sec=sys,rw=hpuxtest.sooraj.com,root=hpuxtest.sooraj.com -d "testing" /nfstest

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Am I understanding anything wrong from manpage?

So I would like to know your suggetions too..

Thanks..
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
17 REPLIES 17
SoorajCleris
Honored Contributor

тАО01-11-2010 12:17 AM

тАО01-11-2010 12:17 AM

Re: 11.31 NFS using FQDN in "share" command

Hi,

waiting for your advices.

thanks,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
Horia Chirculescu
Honored Contributor

тАО01-11-2010 12:35 AM

тАО01-11-2010 12:35 AM

Re: 11.31 NFS using FQDN in "share" command

Hello,

How about editing the nsswitch.conf file and change the hosts line to read:

hosts: files

Maybe share reads nsswitch.conf file?

Best regards,
Horia
Best regards from Romania,
Horia.
0 Kudos
Reply
SoorajCleris
Honored Contributor

тАО01-11-2010 06:03 AM

тАО01-11-2010 06:03 AM

Re: 11.31 NFS using FQDN in "share" command

Hi ,

I have already mentioned

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО01-11-2010 06:19 AM

тАО01-11-2010 06:19 AM

Re: 11.31 NFS using FQDN in "share" command

> hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Ok. And, according to you, the "man" page
says 'With a server configured for DNS or
LDAP naming in the nsswitch "hosts" entry',
and I see "dns" in your 'nsswitch "hosts"
entry'. It says "DNS". It does _not_ say
"_only_ DNS". Where's the mystery?
0 Kudos
Reply
SoorajCleris
Honored Contributor

тАО01-11-2010 06:49 AM

тАО01-11-2010 06:49 AM

Re: 11.31 NFS using FQDN in "share" command

Hi Steven,

You mean to say, the manpage clear that if at all there is dns mentioned in nsswitch we should use FQDN?

Thanks
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
mvpel
Trusted Contributor

тАО01-11-2010 06:50 AM

тАО01-11-2010 06:50 AM

Re: 11.31 NFS using FQDN in "share" command

Interesting, I didn't realize that they were starting to enforce FQDNs in that circumstance.

It's a security issue.

If you specify an unqualified hostname, with DNS it can match other things than what you intend, depending on factors external to the NFS server.

If you specify an unqualified hostname:

share -F nfs -o rw=pcvm0101,root=pcvm0101 -d "IS OIL sapmnt" /sapmnt/IE1

... then anyone who can reach your network who also has control over a DNS server could bypass your restrictions. In the old days, the host would allow read/write/root mounts from not only pcvm0101.yourdomain.com, but also pcvm0101.competitor.com, pcvm0101.hackers.com, and pcvm0101.intelligence.ir, for example.

The server does a reverse lookup on the client IP address, and uses the hostname it gets back from DNS in granting access. Since it shouldn't trust outside DNS servers, it shouldn't grant access to any matching hostname in any domain.

And that's the way it works now, thankfully.

If you use only "files" for host lookups, the FQDN restriction doesn't apply since NFS is not depending on resources that are outside the control of the local system to make security decisions.
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО01-11-2010 06:59 AM

тАО01-11-2010 06:59 AM

Re: 11.31 NFS using FQDN in "share" command

> You mean to say, [...]

That's how I read it.

> It's a security issue. [...]

That would seem to explain why. (I've seen
this on Solaris systems for years, and always
wondered why, but was always too lazy to
investigate.)
0 Kudos
Reply
SoorajCleris
Honored Contributor

тАО01-11-2010 07:33 AM

тАО01-11-2010 07:33 AM

Re: 11.31 NFS using FQDN in "share" command

Hi steven and mpvel,

Thanks for your valuable suggetions.
I will simulate this, check and will comeback.

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
SoorajCleris
Honored Contributor

тАО01-11-2010 09:25 AM

тАО01-11-2010 09:25 AM

Re: 11.31 NFS using FQDN in "share" command

Hi ,

Its funny, I am using only hosts, but the output

[rx26-156]/etc
# nslookup
Using /etc/hosts on: rx26-156

>
----------------------------------------
# share -F nfs -o sec=sys,rw=rx260-16,root=rx260-16 -d "test Export" /tmp/soo>
[rx26-156]/tmp/sooraj
------------------------------------------
# nslookup
Using /etc/hosts on: rx260-16

>

# mount -F nfs rx26-156:/tmp/sooraj /sooraj
Permission denied
[rx260-16]/
===============================================================
# share -F nfs -o sec=sys,rw=rx260-16.usa.hp.com,root=rx260-16.usa.hp.com -d >
[rx26-156]/tmp/sooraj

---------------------------------------------------------
# mount -F nfs rx26-156:/tmp/sooraj /sooraj
[rx260-16]/
# touch /sooraj/check
[rx260-16]/

=============================================

SO I fee like we should always use FQDN.

Regards,
Sooraj
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.