Re: NFS Client root access problem

Hi;

I am installing a serviceguard cluster to be used with SAP in HPUX 11iv3.

One requeriment for SAP is to create an NFS Server Package and use the automount client
on each cluster node to share some directories.

My problem is that the NFS Package share the File systems, each client node can automount these file systems, the nodes that don't own the package have root access permissions.

But the node that owns the package doesn't have root access permissions and writes files
with the user nobody. In the configuration i
specified root access permissions for all nodes in the cluster.

When i moved the package to another node, always is the same situation with the node that owns the package.

Best Regards;

Alexander

12 REPLIES 12

try eporting root=xxx

#exportfs -i -o root=client1:client2 /fs/name

Hi..,

As mentioned above exporting with root=client option should work ..

Hi;

In the serviceguard package I did the export with the following option:

"-o root=node1,root=node2" file_system

It works fine with the node that doesn't own the NFS package, but with the node that owns the package it didn't get the root privileges.

Regards,

Alexander

In the export options, you have to add the package hostname or the relocatable IP address.

OPTIONS -root=node1,node2,nfs_reloc ....

where nfs_reloc is the name of the NFS package.

If you have a db package and a ci package, you must add both.
Is sane to add all the IP addresse, or names the machings may have.

Hope ths help you

> "-o root=node1,root=node2" file_system

That syntax is incorrect for a root= list. The syntax is:

-o root=node1:node2:node3

Also with 11i v3 the systems in the root= or rw= lists need to be fully-qualified names.

Regards,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Hi Alexander,

By adding the "anon=0" option you're effectively allowing the root user on *EVERY* NFS client that mounts this filesystem to have root privileges on the shared filesystem. Is this really what you want? Or are you trying to limit the specific NFS client systems that are allowed to behave as root in that filesystem?

If you want/need to restrict root access to a small group of systems then the "root=" option is the way to do it. If you're having problems getting the syntax right let me know and I'll help. But opening up the filesystem to all root users can be potentially dangerous - especially if there is not an accompanying rw= list.

Regards,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

>Dave: By adding the "anon=0" option you're effectively allowing the root user

Isn't it worse than that? I.e. every unknown user is root.

Hi Dennis,

> Isn't it worse than that? I.e. every unknown user is root.

Ok, but what's an "unknown" user? My understanding is an unknown user is effectively someone with a UID that is outside the known range. I wouldn't expect that a user that is not configured on the server will get root access.

In other words, if you have a user with a UID of 2000 on an NFS client but this user is not configured on the server (i.e. no entry in /etc/passwd, NIS, NIS+, LDAP, or whatever name service used for passwords) any file created by this user will show up with UID=2000. Just because the server doesn't have a mapping for user 2000=joe doesn't mean user 2000 should get root access.

It's been my experience (but I could be wrong) that only root users - or possibly some PC-NFS users, are mapped to the anon value.

If your experience is different please let me know.

Thanks,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

>Dave: but what's an "unknown" user?

Yes, that's the question.

>if you have a user with a UID of 2000 on an NFS client but this user is not configured on the server, any file created by this user will show up with UID=2000.

Yes, that's what happens.

So in that example, the user with UID=2000 is not an unknown user. He is uid=2000 and his files get created with 2000. He doesn't take on the anon=0 value.

To my knowledge, the only users who take on the anonymous value are root users and PC-NFS users that are unauthenticated.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Dave, Dennis;

Considering what you mentioned:

-It is possible that i will have some security risk if I use the anon=0 option?

I am going to recheck the sintax of my configuration because my first consideration was to use the root=node option to give access to the NFS clients.

Best Regards;

Alexander.

Hi Alex,

If security is one of your concerns then sharing filesystems with "anon=0" is one of the worst things you can do. That syntax allows the root user on every NFS client to access files on the NFS filesystem as if they were the root user on the NFS server. That's a very dangerous thing to allow from a security standpoint.

Creating an rw= list and a root= list is much safer as that determines which NFS clients are allowed read/write access to the filesystem and which clients are allowed root access.

Regards,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]