Sponsored Content
Operating Systems Solaris NFS mount. Nobody Nobody permissions. Post 302239836 by incredible on Wednesday 24th of September 2008 01:48:36 PM
Old 09-24-2008
cat /etc/default/nfs (show ouput)
The only thing today that prevents the scenario is to use Kerberos V5 (or some other strong authentication system, but Kerberos V5 is what most vendors have) authentication in the NFS traffic itself. This means exporting the volume with option sec=krb5 (or krb5i, or krb5p), and without anon=0 and without root=.

What happens is that even if the attacker su'es to someuser, unless he knows someuser's Kerberos password, he cannot become user someuser over the NFS connection. Even attempting to access /home/someuser as super-user, even with Kerberos credentials for super-user, is defeated, because super-user, uid 0, will be mapped to user nobody (since anon=0 and root= are absent in the export options).
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

nfs permissions

Hi all can someone tell me how to set the follwoing permissions in the /etc/exports file to share a directory. I need 2 users eg a+b to be able to read and write to the directory but everyone else to just read. we have NIS in our environment and I though I could use netgroups do do this. My... (2 Replies)
Discussion started by: silvaman
2 Replies

2. HP-UX

nfs export permissions

Hello, If I have an export like: /usr/temp -rw=ram:alligator means that /usr/temp has "rw" permissions to ram and alligator machines and has "ro" to everyone else? (1 Reply)
Discussion started by: psimoes79
1 Replies

3. UNIX for Dummies Questions & Answers

mount -o llock -F nfs vs mount -F nfs

Hi, We encountered NFS issue (solaris) especially running on Oracle application. Problem such as forms hang when close button is click, concurrent job shows running status all time. Understand we need to use mount -o llock -F nfs instead of mount -F nfs to eliminate? this problem.. Can... (1 Reply)
Discussion started by: KhawHL
1 Replies

4. Solaris

Permissions on NFS mount

I am mounting a directory remotely but I am not able to write to the NFS mount. I am using the following commands to share and mount the file system: On source server in DFStab file share -F nfs -o rw -d "IWStore" /iw-store On the client I am mounting like this: mount -F nfs -o rw... (4 Replies)
Discussion started by: wstclair
4 Replies

5. AIX

NFS mounts and user permissions

We need to allow ordinary users to preform NFS mounts on a AIX server without giving them root access to the server. Is there a way to give an ordinary users root access on a tem basis or a script to allow them to preform NFS mounts? (4 Replies)
Discussion started by: daveisme
4 Replies

6. IP Networking

Can't see home folder on one NFS mount but can in another mount on another share

Hello, I have a few Ubuntu 9.10 laptops I'm trying to learn NFS sharing with. I am just experimenting on this right now, so no harsh words about the security of what I'm playing with, please ;) Below are the configs /etc/exports on host /home/woodnt/Homeschool... (2 Replies)
Discussion started by: Narnie
2 Replies

7. Solaris

NFS Mount permissions weird

Hi all. I have a nas mounted on a solaris box as /u04. Currently I am getting a permission denied error from my HP DataProtector backup and when I ls -l the actual directory I get: drwxrwxrwt 5 65535 nogroup 4096 Nov 9 13:46 u04 I also have SAN mounted as /u06 and it is... (1 Reply)
Discussion started by: jamie_collins
1 Replies

8. Shell Programming and Scripting

Issue with changing the permissions on an nfs mount

Hi All, I have an nfs share which I mounted to my linux machine as below. df -k output TSDapp-na-02:/vol/tsd_app_1/rn_jira 47185920 11663072 35522848 25% /opt/rn_jira I have no entry for this in my /etc/fstab. I did it by the following way. mount -t nfs... (2 Replies)
Discussion started by: Tuxidow
2 Replies

9. UNIX for Dummies Questions & Answers

Permissions for NFS share

Hi, I have created a NFS share in Solaris 10 server1 and mounted it on solaris 10 server 2.But I want to change owner of the files from nobody to a particular user in client. Which command should I use. I have tried the following but it doesn't allow to change permissions in the server2 as... (0 Replies)
Discussion started by: Rossdba
0 Replies

10. Shell Programming and Scripting

Mount NFS Share On NFS Client via bash script.

I need a help of good people with effective bash script to mount nfs shared, By the way I did the searches, since i haven't found that someone wrote a script like this in the past, I'm sure it will serve more people. The scenario as follow: An NFS Client with Daily CRON , running bash script... (4 Replies)
Discussion started by: Brian.t
4 Replies
nfssec(5)																 nfssec(5)

NAME
nfssec - overview of NFS security modes The mount_nfs(1M) and share_nfs(1M) commands each provide a way to specify the security mode to be used on an NFS file system through the sec=mode option. mode can be sys, dh, krb5, krb5i, krb5p, or none. These security modes can also be added to the automount maps. Note that mount_nfs(1M) and automount(1M) do not support sec=none at this time. mount_nfs(1M) allows you to specify a single security mode; share_nfs(1M) allows you to specify multiple modes (or none). With multiple modes, an NFS client can choose any of the modes in the list. The sec=mode option on the share_nfs(1M) command line establishes the security mode of NFS servers. If the NFS connection uses the NFS Ver- sion 3 protocol, the NFS clients must query the server for the appropriate mode to use. If the NFS connection uses the NFS Version 2 proto- col, then the NFS client uses the default security mode, which is currently sys. NFS clients may force the use of a specific security mode by specifying the sec=mode option on the command line. However, if the file system on the server is not shared with that security mode, the client may be denied access. If the NFS client wants to authenticate the NFS server using a particular (stronger) security mode, the client wants to specify the secu- rity mode to be used, even if the connection uses the NFS Version 3 protocol. This guarantees that an attacker masquerading as the server does not compromise the client. The NFS security modes are described below. Of these, the krb5, krb5i, krb5p modes use the Kerberos V5 protocol for authenticating and pro- tecting the shared filesystems. Before these can be used, the system must be configured to be part of a Kerberos realm. See SEAM(5). sys Use AUTH_SYS authentication. The user's UNIX user-id and group-ids are passed in the clear on the network, unauthenticated by the NFS server. This is the simplest security method and requires no additional administration. It is the default used by Solaris NFS Version 2 clients and Solaris NFS servers. dh Use a Diffie-Hellman public key system (AUTH_DES, which is referred to as AUTH_DH in the forthcoming Internet RFC). krb5 Use Kerberos V5 protocol to authenticate users before granting access to the shared filesystem. krb5i Use Kerberos V5 authentication with integrity checking (checksums) to verify that the data has not been tampered with. krb5p User Kerberos V5 authentication, integrity checksums, and privacy protection (encryption) on the shared filesystem. This provides the most secure filesystem sharing, as all traffic is encrypted. It should be noted that performance might suffer on some systems when using krb5p, depending on the computational intensity of the encryption algorithm and the amount of data being transferred. none Use null authentication (AUTH_NONE). NFS clients using AUTH_NONE have no identity and are mapped to the anonymous user nobody by NFS servers. A client using a security mode other than the one with which a Solaris NFS server shares the file system has its security mode mapped to AUTH_NONE. In this case, if the file system is shared with sec=none, users from the client are mapped to the anonymous user. The NFS security mode none is supported by share_nfs(1M), but not by mount_nfs(1M) or automount(1M). /etc/nfssec.conf NFS security service configuration file See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |Availability |SUNWnfscr | +-----------------------------+-----------------------------+ automount(1M), mount_nfs(1M), share_nfs(1M), rpc_clnt_auth(3NSL), secure_rpc(3NSL), nfssec.conf(4), attributes(5) /etc/nfssec.conf lists the NFS security services. Do not edit this file. It is not intended to be user-configurable. 13 Apr 2005 nfssec(5)
All times are GMT -4. The time now is 05:12 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy