Re: inetd.sec and NFS servcies

Bolek Mynarski · ‎02-11-2007

This is more of a clarification than anything else. However, I am having problem limiting nfs mounts using /var/adm/inetd.sec. According to the man page for inetd.sec, I should be (in theory) able to do this.

I would have to also disclose that we do not run any rpc services from /etc/inetd.conf.

For test purposes, I tried following in /var/adm/inetd.sec:

rpcbind deny
mountd deny

I would expect every host to be denied access to NFS services(no mount allowed or showmount for that matter). It does not seem the case. I can do all of the above.

Have I missed something or misinterpreted how inetd.sec is supposed to work for me?

Thanks.

It'snever too late to learn new things...

Mridul Shrivastava · ‎02-11-2007

I checked the man pages and found that correct format is

Here the entries made in the file are of daemons, however service name should have been entered. So try using the following

rpc deny

I think it should work (don't forget inetd -c)

another way to stop NFS is to put # in the line which is not required in inetd.conf file..

Time has a wonderful way of weeding out the trivial

Reshma Malusare · ‎02-11-2007

Hi Bolek,
In the /var/adm/inetd.sec file, create a line with the following syntax for each service to which you want to restrict access:

service {allow} host_or_network [host_or_network...] {deny}

If the /var/adm/inetd.sec file does not exist, you will have to create it.

service must match one of the service names in the /etc/rpc file.

Specify either allow or deny but not both. Enter only one line per service.

host_or_network can be either an official host name or network name or an IP address. Any of the four numbers in an IP address can be specified as a range (for example, 1-28) or the wildcard character (*).

The inetd.sec file is checked only when the service is started. If a service remains active and accepts more requests without being restarted, the inetd.sec file is not checked again.

You can use SAM to modify the /var/adm/inetd.sec file.
e.g rwalld deny cauliflower

Regards,
Reshma

Patrick Wallek · ‎02-11-2007

inetd.sec is only used for services that are started, when necessary, by the inetd daemon. mountd is not started via inetd, hence inetd.sec will have no effect.

To limit NFS mounts you need to set the appropriate access controls in the /etc/exports file.

Wyman Wong Man Wai · ‎02-11-2007

inetd.sec only provide access control to services started by inetd. portmap/rpcind, mountd, nfsd are not startd by inetd. To control access to nfs mount, use /etc/exports or use ipf to block ports completely.

Raj D. · ‎02-11-2007

Boblek,

Though inetd.conf starts the rpc services and , rpc.mountd can start from a startup script, it is a good practice to limit the NFS mount using the /etc/exports .

/etc/exports contains a list of file systems and the access_lists or
machine names allowed to remotely mount each file system. The file
system names are left-justified and followed by a list of names
separated by white space. A file system name with no accompanying
name list means the file system is available to everyone.
A # anywhere in the file indicates a comment extending to the end of
that line.

EXAMPLES
/usr/games cocoa fudge # export to only these machines
/usr -access=clients # export to my clients
/usr/local # export to the world
/usr2 -access=bison:deer:pup # export to only these machines
/var/adm -root=bison:deer # give root access only to these
/usr/new -anon=0 # give all machines root access
/usr/temp -rw=ram:alligator # export read-write only to these
/usr/bin -ro # export read-only to everyone
/usr/stuff -access=bear,anon=-2,ro # several options on one line
/usr/subnet -access=@mysubnet #use mysubent in /etc/networks
/usr/subnet1 -access=@192.5 #clients must be in the 192.5.0.0 subnet
/usr/domain -access=.myd.myc.com #clients must be in .myd.myc.com
/usr/restrict -access=-host1.myd.myc.com:sales # disallow -host1 in the sales netgroup.
--------------------------------------

Check this:
http://docs.hp.com/en/B2355-90131/exports.4.html
----

inetd.sec :
You can have entries in /var/adm/inetd.sec like this:

You can enable the server to deny rpc service with this example:
Ex:

rpc deny 10.2.42.7

Cheers,
Raj.

" If u think u can , If u think u cannot , - You are always Right . "

Bolek Mynarski · ‎02-11-2007

Thanks to everyone who has responeded. Everyone has confirmed my suspicions. Although I find it a bit contradictory because inetd.sec man page is very specific about NFS:

"service name is the name (not alias) of a valid service in file /etc/services. The service name for RPC-based services (NFS) is the name (not alias) of a valid service in file /etc/rpc. A service name in /etc/rpc corresponds to a unique RPC program number."

Here is an example from the same man page:

"On a system running NFS, deny host 192.54.24.5 access to sprayd, an RPC-based server:
sprayd deny 192.54.24.5
"

Of course, I tried 'mountd, nfs, and rpcbind' but with no success.

This is from inetd.sec man pager on HP-UX 11.11.

It'snever too late to learn new things...

Wyman Wong Man Wai · ‎02-12-2007

The manpage is suspicious. I wonder what NFS has to do with sprayd. Look at the use of () in the quoted manpage, it seems the manpage author mistook NFS is RPC-based services but not Network File System.

HP-UX 10.30 and 11.00 release note (http://docs.hp.com/en/B3782-90716/ch07s23.html) show that -e option can be used with inetd.sec. But it is no longer supported since HP-UX 10.30.

Dave Olker · ‎02-12-2007

Hi Bolek,

NFS is not managed by the inetd daemon, so the inetd.sec would have no real bearing on NFS.

If you really don't want to allow any clients to mount filesystems from the server then the best thing to do would be to disable NFS services from ever starting in the first place. If you don't want this system to allow any NFS mounts then do this:

# /sbin/init.d/nfs.server stop

This will stop any existing NFS server daemons. Then modify the /etc/rc.config.d/nfsconf file and set the NFS_SERVER variable to 0. That will stop the NFS server daemons (rpc.mountd, nfsd) from starting at boot time.

If this isn't what you're looking for then please be very specific about exactly what you're trying to do.

Regards,

Dave

I work for HPE

[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Bolek Mynarski · ‎02-12-2007

Hi Dave,

The purpose is very simple: I want to limit what networks can access my NFS server. That was the whole purpose of posting here. If I did not want to use NFS, this thread would not exist. inetd.sec seemed like a good choice after reading the man page on it. That's how this thread started. Yes, I know inetd.sec controls inetd behaviour but if you read inetd.sec closer on HP-UX 11.11, it also refers to rpc services (/etc/rpc) that can be limited using inetd.sec.

/etc/exports has its own share of, shall we say, oddities so I wanted to say away from it as much as possible. However, it seems to me that I will have no choice but to use it.

It'snever too late to learn new things...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: inetd.sec and NFS servcies

inetd.sec and NFS servcies