Re: 11.31 NFS using FQDN in "share" command

SoorajCleris · ‎01-10-2010

Hi everyone

In reference
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1263170752116+28353475&threadId=1146006

I was just trying to findout the reason, why it happend like that. If we are using hosts file, then also do we need to use FQDN?

Becasue man share_nfs says that,

hostname
The name of a host. With a server configured for DNS or LDAP
naming in the nsswitch "hosts" entry, any hostname must be
represented as a fully qualified DNS or LDAP name.

command line used, ( with out using FQDN it was not working)
# share -F nfs -o sec=sys,rw=hpuxtest.sooraj.com,root=hpuxtest.sooraj.com -d "testing" /nfstest

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Am I understanding anything wrong from manpage?

So I would like to know your suggetions too..

Thanks..
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

SoorajCleris · ‎01-11-2010

Hi,

waiting for your advices.

thanks,
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

Horia Chirculescu · ‎01-11-2010

Hello,

How about editing the nsswitch.conf file and change the hosts line to read:

hosts: files

Maybe share reads nsswitch.conf file?

Best regards,
Horia

Best regards from Romania,
Horia.

SoorajCleris · ‎01-11-2010

Hi ,

I have already mentioned

# grep host /etc/nsswitch.conf
hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Regards,
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

Steven Schweda · ‎01-11-2010

> hosts: files [NOTFOUND=continue UNAVAIL=continue] dns

Ok. And, according to you, the "man" page
says 'With a server configured for DNS or
LDAP naming in the nsswitch "hosts" entry',
and I see "dns" in your 'nsswitch "hosts"
entry'. It says "DNS". It does _not_ say
"_only_ DNS". Where's the mystery?

SoorajCleris · ‎01-11-2010

Hi Steven,

You mean to say, the manpage clear that if at all there is dns mentioned in nsswitch we should use FQDN?

Thanks
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

mvpel · ‎01-11-2010

Interesting, I didn't realize that they were starting to enforce FQDNs in that circumstance.

It's a security issue.

If you specify an unqualified hostname, with DNS it can match other things than what you intend, depending on factors external to the NFS server.

If you specify an unqualified hostname:

share -F nfs -o rw=pcvm0101,root=pcvm0101 -d "IS OIL sapmnt" /sapmnt/IE1

... then anyone who can reach your network who also has control over a DNS server could bypass your restrictions. In the old days, the host would allow read/write/root mounts from not only pcvm0101.yourdomain.com, but also pcvm0101.competitor.com, pcvm0101.hackers.com, and pcvm0101.intelligence.ir, for example.

The server does a reverse lookup on the client IP address, and uses the hostname it gets back from DNS in granting access. Since it shouldn't trust outside DNS servers, it shouldn't grant access to any matching hostname in any domain.

And that's the way it works now, thankfully.

If you use only "files" for host lookups, the FQDN restriction doesn't apply since NFS is not depending on resources that are outside the control of the local system to make security decisions.

Steven Schweda · ‎01-11-2010

> You mean to say, [...]

That's how I read it.

> It's a security issue. [...]

That would seem to explain why. (I've seen
this on Solaris systems for years, and always
wondered why, but was always too lazy to
investigate.)

SoorajCleris · ‎01-11-2010

Hi steven and mpvel,

Thanks for your valuable suggetions.
I will simulate this, check and will comeback.

Regards,
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

SoorajCleris · ‎01-11-2010

Hi ,

Its funny, I am using only hosts, but the output

[rx26-156]/etc
# nslookup
Using /etc/hosts on: rx26-156

>
----------------------------------------
# share -F nfs -o sec=sys,rw=rx260-16,root=rx260-16 -d "test Export" /tmp/soo>
[rx26-156]/tmp/sooraj
------------------------------------------
# nslookup
Using /etc/hosts on: rx260-16

>

# mount -F nfs rx26-156:/tmp/sooraj /sooraj
Permission denied
[rx260-16]/
===============================================================
# share -F nfs -o sec=sys,rw=rx260-16.usa.hp.com,root=rx260-16.usa.hp.com -d >
[rx26-156]/tmp/sooraj

---------------------------------------------------------
# mount -F nfs rx26-156:/tmp/sooraj /sooraj
[rx260-16]/
# touch /sooraj/check
[rx260-16]/

=============================================

SO I fee like we should always use FQDN.

Regards,
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

Dave Olker · ‎01-11-2010

What happens when you actually resolve the non-fully-qualified hostname on both the NFS client and server system?

# nslookup rx260-16

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

mvpel · ‎01-11-2010

It's the nsswitch.conf and /etc/hosts files on your NFS server, not your client, that you need to concern yourself with.

I assume RX26-156 was able to ping RX260-16 by hostname when you made the nsswitch.conf change, right? What did the /etc/hosts entry for RS260-16 on RX26-156 look like?

SoorajCleris · ‎01-11-2010

Hi,

# nslookup rx260-16
Using /etc/hosts on: rx26-156

looking up FILES
Name: rx260-16
Address: 192.168.112.142
Aliases: rx260-16
==================================
/etc/hosts - rx26-156 ( I tried to use both rx260-16 and rx260-16.usa.hp.com)

16.118.114.125 rx26-156.usa.hp.com rx26-156
127.0.0.1 localhost loopback
16.118.114.250 hpvldas1 hpvldas1.usa.hp.com
192.168.112.142 rx260-16 rx260-16

=================================
Thanks
sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

Dave Olker · ‎01-11-2010

Do you get the exact same output on both the NFS client and server?

Is there a need to have the same hostname listed twice on the same line?

192.168.112.142 rx260-16 rx260-16

Do you get the same behavior if you change the line to:

192.168.112.142 rx260-16

on both the NFS client and server?

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Horia Chirculescu · ‎01-11-2010

Hello Sooraj,

This is what I understand from the man page and tried to suggest you in my first intervention.

>Hi Steven,

>You mean to say, the manpage clear that if at >all there is dns mentioned in nsswitch we >should use FQDN?

Horia.

Best regards from Romania,
Horia.

SoorajCleris · ‎01-11-2010

but horea , I have used the same but see the output posted above.

Regards,
Sooraj

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

mvpel · ‎01-12-2010

Maybe the share command allows unqualified hostnames if DNS is not used, but someone forgot to tell the nfsd team and so it doesn't allow unqualified names when making hostname-based access decisions.

But in any case, using FQDNs is a better practice in general, since it removes any ambiguity about which host you're referring to. I ran into the same situation in Nortel a few years ago, where we had five internal domain names in active use.

SoorajCleris · ‎01-12-2010

ha ha .. thats great. I am planning to tell NFSD team :)

"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity" - Dennis Ritchie

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: 11.31 NFS using FQDN in "share" command

11.31 NFS using FQDN in "share" command