[ale] nfs problems

Dow Hurst dhurst at kennesaw.edu
Sat Jun 9 14:36:57 EDT 2001 

Ken,
Make sure first that the directory the mount is mounted on is properly
accessible.  Here is an example of how a problem can occur if the
default umask for root is 027:

su
umask 027
mkdir /nfs.remotemachine
mount remotemachine:/exported /nfs.remotemachine
exit

Now any common user can't write to the mounted directory since the
underlying mount point has permissions of 750 instead of 755.  The mount
command will mask this by displaying the remote directory's permissions:

su
ls -l /nfs.remotemachine (while mounted)
drwxr-xr-x  root.sys /nfs.remotemachine
umount /nfs.remotemachine
ls -l /nfs.remotemachine
drwxr-x---  root.sys /nfs.remotemachine

See how the masking can work?  The underlying mount point's permissions
will override the mounted filesystem permissions.  To fix this just
unmount your NFS filesystems and inspect/correct the mount point
permissions.  A default umask of 027 is useful at times but can create
situations like this.  Also, the options in /etc/exports can keep root
from writing to a NFS mounted file system.

NFS is so inherently insecure that you should understand the options
thoroughly before exporting.  UDP is the protocol underlying traditional
NFS so spoofing UID/GIDs is trivial since no TCP type threeway handshake
is used.  Setup a VPN first and then run NFS thru it.  Linux, I believe,
has a TCP based version of NFS that is more secure.  Use that if
possible.  Real World Linux Security discusses this.  Under IRIX, which
is what we have here, we have to use UDP but run through a SSH/PPP based
VPN.  Hope this helps,
Dow


Ken Nagorski wrote:
> 
> Hi there,
> 
>         I recently started using nfs to export /home among other
> things. Here is the deal I seem to have a hard time with file permissions,
> (maybe) I am not sure that is the answer.
> 
>         For instance I get some stuff I downloaded right. I say tar xvfz
> package.tar.gz I keeps complaining that it can't create package/<whatever>
> no such file or directory. Now when It is all done I see the it did create
> that package dir but it is empty.
> 
>         I am using slackware 7.1 with 2.4.5 kernels for both. Obvoiusly I
> have nfs compiled in and set up or it wouldn't even mount the drives...
> 
>         I am confused. What would casue this. I haven't found anything
> about it in the howto's nothing in any error logs I see. I am stumped???
> 
> Ken
> 
> --
> IMPORTANT: This email is intended for the use of the individual addressee(s)
> named above and may contain information that is confidential, privileged
> or unsuitable for overly sensitive persons with low self-esteem, no sense
> of humour or irrational religious beliefs. If you are not the intended
> recipient, any dissemination, distribution or copying of this email is not
> authorised (either explicitly or implicitly) and constitutes an irritating
> social faux pas.
> 
> Unless the word absquatulation has been used in its correct context somewhere
> other than in this warning, it does not have any legal or no grammatical use
> and may be ignored. No animals were harmed in the transmission of this email,
> although the kelpie next door is living on borrowed time, let me tell you.
> Those of you with an overwhelming fear of the unknown will be gratified to
> learn that there is no hidden message revealed by reading this warning
>  backwards, so just ignore that Alert Notice from Microsoft.
> 
> However, by pouring a complete circle of salt around yourself and your
> computer you can ensure that no harm befalls you and your pets. If you
> have received this email in error, please add some nutmeg and egg whites,
> whisk and place in a warm oven for 40 minutes.
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

-- 
__________________________________________________________
Dow Hurst                   Office: 770-499-3428
Systems Support Specialist  Fax:    770-423-6744
1000 Chastain Rd.
Chemistry Department SC428  Email:dhurst at kennesaw.edu
Kennesaw State University         Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list