1830898 Members
1830 Online
110017 Solutions
New Discussion

HPUX NFS Security (2)

 
SOLVED
Go to solution
Daniel Xu
Occasional Contributor

HPUX NFS Security (2)

Thanks everyone! I got several feedbacks. But I still need your help.

1. Andy Monks suggested me to allow every host to access my NFS server. This will create a security issue. I only want all my company's hosts to access the server. But the host list is over 256 characters. How can I just allow my company's hosts access and do not loose my security?

2. Andreas Voss suggested patch PHNE_21108. It is a recalled patch. The replacement is PHNE_21704 which is a recalled patch too. Anyone knows the good patch for NFSv3?

Thanks again!

P.S. Sorry I do not know how to replay to you guys. I have to create a new message.
7 REPLIES 7
CHRIS_ANORUO
Honored Contributor
Solution

Re: HPUX NFS Security (2)

Hi Daniel,

I will advise you to exercise patience when it comes to patch installations. The caution point to note is allow the patch to be upto 3 months. There are no recent patches for NFSv3.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
Daniel Xu
Occasional Contributor

Re: HPUX NFS Security (2)

Hi, I reply this to myself on the patch issue. It is copied from HP Patch Description.

A problem has been discovered with superseding patches PHNE_21108 and PHNE_21704. These two patches can cause NFS clients to observe NULL characters at the end of files from the NFS server. PHNE_20957 does not exhibit this same behavior and is being re-released until a replacement patch is available.
Tim Malnati
Honored Contributor

Re: HPUX NFS Security (2)

I'm not sure about this but setting up a netgroup may be your answer to this problem (see netgroup(4)). The reason I'm not sure is that I wonder if the same character limit applies or if a lookup is performed against the table when mounting.

But your security question makes me wonder about another issue. Do you have a firewall between your internal resources and the internet world? If you don't, I would very strongly suggest that you invest in one very soon. If the firewall is setup properly, outside entities should not even see your servers, not just the exported file systems.
Daniel Xu
Occasional Contributor

Re: HPUX NFS Security (2)

Tim Malnati,

Thanks for your suggestions!

I tried "netgroup". In /etc/exports, it seems like "access=" overwrites "root=" and "rw=". root can only read from the mounted file system. I do not know how to configure it and let root to read and write mounted file system. I am still working on this issue.

Talking about firewall. Company has firewall to protact whole network but not between the hosts. We do not need firewall to set on each host. I installed a security application on each host.
Tim Malnati
Honored Contributor

Re: HPUX NFS Security (2)

A look at exports(4) may help. With anon=65535, hosts that are not part of the netgroups defined with root=, rw=, or ro= should be excluded from attaching to the mount without having to use athe access= declaration (or so the documentation suggests). Testing from both allowed and non allowed machines will be important to verify this.

There have been all sorts of patches out there that impact NFS. If you are on 10.X there are a variety of different NFS packages as well (standard vs ACE). To put it plainly, there are a variety of bugs out there with no particular version any better off than the next from what I can determine. It has been a while since I have setup any NFS mounts, so giving you any guidance on what package is 'best' is somewhat of a shot in the dark.
Shannon Petry
Honored Contributor

Re: HPUX NFS Security (2)

NFS Security for large lists will require Netgroups. I use them, for about 100 hosts to secure access, but there are some rules.
1. root access must be a host list. netgroups will not work.
2. access=group is almost the same as rw=group. if using rw and ro, then do not use the access. It will confuse issues.
EXAMPLES
netgroup:
rwhosts (rwhost1,,) (rwhost2,,)
rohosts (rohost1,,) (rohost2,,)
admin (admin1,,) (admin2,,)
exports:
/dir1 root=admin1:admin2,rw=rwhosts,ro=rohosts

NOTE: Depending on how you resolve names the way the netgroups are interpreted can vary. I.E. If you are running a name server, and "domain=somedomain" on the server, then all clients will resolv to host.domain. The client however must do the same or it will tell the server that it is just "host" and will fail to authenticate. This will require two netgroups entries for each host, and on the export. One entry with domain, and the other not. This gets very difficult to maintain. (Sun has a nice export option of domain=.domain which will append that listed domain to any host(no domain specified) and re-attempt authentication. NICE)
Best Regards!
Shannon
Microsoft. When do you want a virus today?
Jamie Rancourt
Occasional Advisor

Re: HPUX NFS Security (2)

Hi, concerning the list of systems allowed to mount NFS fs's, try modifying /var/adm/inetd.sec. With this you can restrict mountd to the hosts you specify in the file, and if they are on similar subnets, then you could group the entries as outlined in the inetd.sec file With this modification to inetd.sec, you can then remove restrictions in the exports file.

Good luck,

Jamie R.