nfs question - Unix

This is a discussion on nfs question - Unix ; I set up a nfs to share a directory to other servers. How can I restrict others from accessing this directory? Users do have root access to these servers and I don't want them to access the shared directory. thanks....

+ Reply to Thread
Results 1 to 6 of 6

Thread: nfs question

  1. nfs question

    I set up a nfs to share a directory to other servers. How can I
    restrict others from accessing this directory? Users do have root
    access to these servers and I don't want them to access the shared
    directory.
    thanks.


  2. Re: nfs question

    rogv24@yahoo.com wrote:
    >
    > I set up a nfs to share a directory to other servers. How can I
    > restrict others from accessing this directory?


    NIS netgroups, ACLs.

    > Users do have root
    > access to these servers and I don't want them to access the shared
    > directory.


    It is not possible to restrict access from anyone with root access.
    Nothing you can do will work because everything you can do will
    have a workaround by them. Turn your NFS access back off and
    no one will be able to access the data.


  3. Re: nfs question

    Not true. You can prevent a root user from accessing/modifying content
    a mounted NFS share from a remote server with the following:

    - on HPUX: use 'access' directive
    - on Linux: use 'root_squash or no_root_squash

    Remote root access operation on mounted NFS shares is disabled by
    default. You have to explicitly enable it via /etc/exports. Finally,
    NFS relies heavily on UIDs and GIDs. I can go around your security by
    creating an account on a remote system with an UID or GID that owns
    files/dirs on the mounted share. Short of exporting read-only, there
    is not much you can do.

    man exports is your friend.


  4. Re: nfs question

    --==[ bman ]==-- wrote:
    >
    > Not true. You can prevent a root user from accessing/modifying content
    > a mounted NFS share from a remote server with the following:


    This is UseNet. Please learn to quote context.

    > - on HPUX: use 'access' directive
    > - on Linux: use 'root_squash or no_root_squash
    >
    > Remote root access operation on mounted NFS shares is disabled by
    > default. You have to explicitly enable it via /etc/exports. Finally,
    > NFS relies heavily on UIDs and GIDs. I can go around your security by
    > creating an account on a remote system with an UID or GID that owns
    > files/dirs on the mounted share. Short of exporting read-only, there
    > is not much you can do.
    >
    > man exports is your friend.


    Here's my statement that was called not true:

    > > It is not possible to restrict access from anyone with root access.
    > > Nothing you can do will work because everything you can do will
    > > have a workaround by them. Turn your NFS access back off and
    > > no one will be able to access the data.


    It remains true. It access is given to user "dfreybur" on the client
    host, but that users doesn't exist on that host or never logs in,
    anyone with the root password can create "dfreybur" or give it a
    local password. Bingo, access.

    There's more access in the world than access *as* root. Anyone
    with the root password can use any granted access as that user.


  5. Re: nfs question

    "It is not possible to restrict access from anyone with root access.
    Nothing you can do will work because everything you can do will
    have a workaround by them. " - point taken if we are talking about
    using root gain indirect access to NFS share (like creating a user with
    exported UID).

    However, root itself cannot access/modify/write if directives described
    in my post are used. I assume that a "basic" trust is established
    between the server and a client for this type of opertaions otherwise,
    this whole converstation is pointless.

    You would not export vital information via NFS from your system to a
    client with a questionable reputation, would you?


  6. Re: nfs question

    --==[ bman ]==-- wrote:
    >
    > "It is not possible to restrict access from anyone with root access.
    > Nothing you can do will work because everything you can do will
    > have a workaround by them. " - point taken if we are talking about
    > using root gain indirect access to NFS share (like creating a user with
    > exported UID).
    >
    > However, root itself cannot access/modify/write if directives described
    > in my post are used. I assume that a "basic" trust is established
    > between the server and a client for this type of opertaions otherwise,
    > this whole converstation is pointless.
    >
    > You would not export vital information via NFS from your system to a
    > client with a questionable reputation, would you?


    As someone who formerly had a security clearance color me
    paranoid - Everyone has a questionable reputation. I know I
    can't lock down my systems enough to keep out the most
    determined cracker so neither can anyone else. Assuming a
    basic trust isn't as automatic to me as it is to some. I figure
    root's going to be abused eventually.

    There's also the question of how "vital" is defined. /etc is vital
    on the local system, application data is vital on the business
    level. One I'm not giving out over NFS the other I am.


+ Reply to Thread