Using "anon=0" is about as dangerous to security as you can possibly imagine.
What "anon=0" means is, "If I don't know who you are, I'm giving you root permissions in the file system." If you need to do THAT, something is badly broken in your configuration. BADLY BROKEN.
Create this file in that NFS file system on an NFS client as a user that's not recognized by the NFS server:
crack.c:
Now run these commands:
Then run something like this from any host mounting that file system - as any user - whether it's mounted natively or via NFS:
Instant root shell, goodbye security.
Hello Everyone,
I have a pseries machine running AIX 4.3.3 that has an invalid IP in /etc/hosts. During a boot the system hangs because it's trying to mount an NFS share to this invalid IP.
I've tried to boot the system from a mksysb (not sure if the device was defined as rmt0) and AIX CD... (0 Replies)
Hey Guys,
I need to copy some files from my Apache server to SMB share ...
copy $file,"/Volumes/v1/x/test/$datestamp$name$suffix"
Unfortunately this command when executed from Apache/cgi-bin is not able to access mounted volumes .. is there anything that can be done about that ... Can... (1 Reply)
there are few nas shares that would be mounted on the local zone. should i add an entry into the add an entry in zone.xml file so that it gets mounted automatically when the zone gets rebooted? or whats the correct way to get it mounted automatically when the zone reboots (2 Replies)
I have an AIX box that mounts a Windows share across subnets. When I try to copy a 100 MB file to it, it copies around 2 MB/s. If I copy to another Windows share on the same subnet it copies around 12 MB/s. All I have is gigabit networks so I would expect it to go well over 12 MB/s, which is the... (8 Replies)
Hi
We have two servers name A and B .
I have a folder "Share" on A was NFS mounted to "B" server.
I have set the ACL permissions using setfacl , so that both (One user from Server A and another user from Server B) users can read and write to the directory.
Both users can create the... (0 Replies)
Hi,
I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server.
On the NFS Server, in /etc/dfs/, I added following line to dfstab file.
share -F nfs -o rw /var/share
& then ran the following
svcadm -v enable -r... (3 Replies)
I need a help of good people with effective bash script to mount nfs shared,
By the way I did the searches, since i haven't found that someone wrote a script like this in the past, I'm sure it will serve more people.
The scenario as follow:
An NFS Client with Daily CRON , running bash script... (4 Replies)
Hi,
I have exported a few nfs mounts from one server to the nfs clients.
This is my nfs server dfstab :
# cat /etc/dfs/dfstab
# place share(1M) commands here for automatic execution
# on entering init state 3.
#
# share <pathname>
# .e.g,
# share -F... (3 Replies)
My customer has created a share on a Windows Server 2012 system and exported it as a NFS share.
I can mount the share on a SCO system, but I only have read/write access. So I am unable to list the contents of the share. It is as if the directories had 0666 permissions.
My customer says that this... (5 Replies)
Right, now that I've finally worked out this website, I'll ask my question!
I am having an absolute nightmare with NFS on AIX. I have used it many times, and I know what I'm doing, however I cannot fathom what is going on here. I have 2 LPARs, sitting on the same physical host. They are... (12 Replies)
Discussion started by: tmooredba
12 Replies
LEARN ABOUT CENTOS
nfssec
nfssec(5)nfssec(5)NAME
nfssec - overview of NFS security modes
The mount_nfs(1M) and share_nfs(1M) commands each provide a way to specify the security mode to be used on an NFS file system through the
sec=mode option. mode can be sys, dh, krb5, krb5i, krb5p, or none. These security modes can also be added to the automount maps. Note that
mount_nfs(1M) and automount(1M) do not support sec=none at this time. mount_nfs(1M) allows you to specify a single security mode;
share_nfs(1M) allows you to specify multiple modes (or none). With multiple modes, an NFS client can choose any of the modes in the list.
The sec=mode option on the share_nfs(1M) command line establishes the security mode of NFS servers. If the NFS connection uses the NFS Ver-
sion 3 protocol, the NFS clients must query the server for the appropriate mode to use. If the NFS connection uses the NFS Version 2 proto-
col, then the NFS client uses the default security mode, which is currently sys. NFS clients may force the use of a specific security mode
by specifying the sec=mode option on the command line. However, if the file system on the server is not shared with that security mode, the
client may be denied access.
If the NFS client wants to authenticate the NFS server using a particular (stronger) security mode, the client wants to specify the secu-
rity mode to be used, even if the connection uses the NFS Version 3 protocol. This guarantees that an attacker masquerading as the server
does not compromise the client.
The NFS security modes are described below. Of these, the krb5, krb5i, krb5p modes use the Kerberos V5 protocol for authenticating and pro-
tecting the shared filesystems. Before these can be used, the system must be configured to be part of a Kerberos realm. See SEAM(5).
sys Use AUTH_SYS authentication. The user's UNIX user-id and group-ids are passed in the clear on the network, unauthenticated by the
NFS server. This is the simplest security method and requires no additional administration. It is the default used by Solaris NFS
Version 2 clients and Solaris NFS servers.
dh Use a Diffie-Hellman public key system (AUTH_DES, which is referred to as AUTH_DH in the forthcoming Internet RFC).
krb5 Use Kerberos V5 protocol to authenticate users before granting access to the shared filesystem.
krb5i Use Kerberos V5 authentication with integrity checking (checksums) to verify that the data has not been tampered with.
krb5p User Kerberos V5 authentication, integrity checksums, and privacy protection (encryption) on the shared filesystem. This provides
the most secure filesystem sharing, as all traffic is encrypted. It should be noted that performance might suffer on some systems
when using krb5p, depending on the computational intensity of the encryption algorithm and the amount of data being transferred.
none Use null authentication (AUTH_NONE). NFS clients using AUTH_NONE have no identity and are mapped to the anonymous user nobody by
NFS servers. A client using a security mode other than the one with which a Solaris NFS server shares the file system has its
security mode mapped to AUTH_NONE. In this case, if the file system is shared with sec=none, users from the client are mapped to
the anonymous user. The NFS security mode none is supported by share_nfs(1M), but not by mount_nfs(1M) or automount(1M).
/etc/nfssec.conf NFS security service configuration file
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Availability |SUNWnfscr |
+-----------------------------+-----------------------------+
automount(1M), mount_nfs(1M), share_nfs(1M), rpc_clnt_auth(3NSL), secure_rpc(3NSL), nfssec.conf(4), attributes(5)
/etc/nfssec.conf lists the NFS security services. Do not edit this file. It is not intended to be user-configurable.
13 Apr 2005 nfssec(5)