[comp.sys.hp] HP9000s425t How can I modify NFS kernel

rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) (12/05/90)

    Hi net-people,

    I just started to administrating HP 9000 series 425-T
workstations. I set one up as NFS server and others as
clients.  When I create directory on client's NFS mounted
disk at user ID root (ID=0), a created directory ID become
65534, not as root.  Friend of mind told me that this is
a feature of NFS, unix kernel will set clients root (ID=0)
ID to (ID=-2).  Is there way to modify HP unix kernel?
So, root on client can create and modify directory as root.

    Thanks for help!!
-----------------------------------------------------------------
Rocky Shiotsuki		Internet:  rocky@puscs.poly.edu
Polytechnic University			 128.238.5.8
333 Jay Street,Bklyn,NY 11201

ananth@hpindda.cup.hp.com (AP Anantharaman) (12/06/90)

/ hpindda:comp.sys.hp / rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) / 10:57 am  Dec  4, 1990 /

    Hi net-people,

    I just started to administrating HP 9000 series 425-T
workstations. I set one up as NFS server and others as
clients.  When I create directory on client's NFS mounted
disk at user ID root (ID=0), a created directory ID become
65534, not as root.  Friend of mind told me that this is
a feature of NFS, unix kernel will set clients root (ID=0)
ID to (ID=-2).  Is there way to modify HP unix kernel?
So, root on client can create and modify directory as root.

    Thanks for help!!
-----------------------------------------------------------------
Rocky Shiotsuki		Internet:  rocky@puscs.poly.edu
Polytechnic University			 128.238.5.8
333 Jay Street,Bklyn,NY 11201
----------

Go into adb and set the variable nobody to 0.  It is a 4 byte word so use
capital W to set the value.

frank@hpwrce.HP.COM (Frank Stutzman) (12/06/90)

>65534, not as root.  Friend of mind told me that this is
>a feature of NFS, unix kernel will set clients root (ID=0)
>ID to (ID=-2).  Is there way to modify HP unix kernel?
>So, root on client can create and modify directory as root.

Your friend is correct.  This behavior is a feature of NFS.

Below I have included a cookbook method on how to change this root mapping
to accomplish what you want.  I just hope you understand the ramifications
of what you are doing.  You are opening up security perhaps to a dangerous
level (you will have to look at your particular environment to define exactly
what "dangerous" means).  You are probably aware that your are opening up 
your system to allow changes to be made on your system by other root users,
but are you aware that you will also allowing users of PCs running PC-NFS
to do the same thing?  

Ok, enough of the big-boy warnings...



 NFS  is  used  by  many customers to back up  a filesystem over a LAN to
 another  HP9000 system's tape drive. For these backups to be successful,
 it  is  usually necessary for a modification to  be made to the NFS file
 server's kernel.  This modification circumvents the NFS security feature
 of  allowing "super-user" privileges to  the local filesystem(s) to ONLY
 the local root account.  A standard kernel on a file server will map all
 remote  root accesses over an NFS mount (ie. a NFS client's root session
 accessing  one  of  the  NFS  server's filesystems )  from the user-id 0
 (super-user) to the user-id (UID) of -2 (nobody).  A remote client's NFS
 backup program, executed as root, will not be able to read all the files
 on  the server, due to the UID being  mapped to -2 (nobody). In fact, no
 account  on the remote client is likely  to have the permissions to read
 every  file on the server's filesystem (especially, the "/" filesystem).
 To allow a remote client to read all the files on a server and back them
 up,  the mapping of the UID 0 to the  UID -2 must be "turned off" on the
 NFS file server.

 CAVEAT:  A  NFS  file  server running a  modified kernel allowing remote
 root  access  is  a possible security risk.   PCs on the network running
 PC-NFS  use the UID 0 (since there  is not an accounting concept on PCs)
 and  if  mapping  to  the  UID  -2  (nobody)  is disabled,  then PCs can
 effectively access the NFS file server's filesystems as super-user.

 NOTE:  The  only  kernels  that  need  to  be modified are  the NFS file
 servers, since they are the nodes that control the mapping of UID 0 over
 NFS mounts.


 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

     DISABLING THE MAPPING TO NOBODY (UID -2)

     The following executed on a NFS file server will disabled the
     mapping of UID 0 to UID -2. This will allow NFS backups from a
     client to read the server's filesystems.

      [ must be logged on as root ]

         # adb -w /hp-ux                                 *
           executable file = /hp-ux
           ready
           nobody?D                                      *
           _nobody:        -2
           nobody?W0                                     *
           _nobody:        -2  = 0
           <CTRL-D>                                      *

           reboot the server

         NOTE: lines proceeded by an asterisk (*) are lines typed in
               by the user.

     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

     RE-ENABLING MAPPING TO NOBODY (UID -2)

     The following executed on a NFS file server will enabled the
     mapping of UID 0 to UID -2. This will NOT allow NFS backups from a
     client to read the server's filesystems.

      [ must be logged on as root ]

         # adb -w /hp-ux                                 *
           executable file = /hp-ux
           ready
           nobody?D                                      *
           _nobody:        0
           nobody?W-2                                    *
           _nobody:        0xFFFFFFFE  =  0xFFFFFFFE
           <CTRL-D>                                      *

           reboot the server

         NOTE: lines proceeded by an asterisk (*) are lines typed in
               by the user.

    - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - - - - - -

 Backing  up  disks over the LAN using NFS is not currently supported by
 HP. Though, there are many customers that are successful  at  doing 
 this  operation. The functionality  of the kernel modification  mentioned 
 in this article is supported by HP.  


|=============================================================================|
|Frank Stutzman                            | "What is wanted is not the will  |
|Hewlett-Packard Western Response Center   |  to believe, but the will to     |
|Mtn. View, Ca                             |  find out, which is the exact    |
|frank@hpwrc.hp.com                        |  opposite." -Bertrand Russell    |
|=============================================================================|

jr@bwilab3.UUCP (Eugene W Coleman) (12/06/90)

In article <1990Dec4.185735.9667@polyof.poly.edu>, rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) writes:
>     I just started to administrating HP 9000 series 425-T
> workstations. I set one up as NFS server and others as
> clients.  When I create directory on client's NFS mounted
> disk at user ID root (ID=0), a created directory ID become
> 65534, not as root.  Friend of mind told me that this is
> a feature of NFS, unix kernel will set clients root (ID=0)
> ID to (ID=-2).  Is there way to modify HP unix kernel?
> So, root on client can create and modify directory as root.

The following solution is the only one that I'm aware of. If anyone knows
any other way(s) please post them or E-mail them to me. Thanks

Everyone hold on, we are about to use 'adb' on the kernal !!!!!!!
Here we go:
	Login as root
	type 'adb -w /hp-ux'
	th system may kick and buck with one or two messages then
	type 'nobody?D'
	this will display the decimal value of nobody. (probably -2)
	type 'nobody?W0'
	this will write a '0' into the 'nobody' parameter.
	type a <ctrl>d
	this will exit 'adb'
Now you are ready to reboot your system.
Hope this helps.

Remember that the words "Always" and "Never" only apply somtimes.
*******************************************************************************
* Eugene W. Coleman, Jr  |   Bradley Ward Inc.   |  Mental Marksman at Large  *
*   (404) 396-4292       |   Atlanta, Ga  30328  |  		              *
*	That place we call %*@!&$!   ...uunet!gatech!galbp!bwilab3!jr         *
*									      *
*          HP always asks 'What if', We can't stop asking 'WHY' ?	      *
*									      *
*******************************************************************************

fred@prisma.cv.ruu.nl (Fred Appelman) (12/06/90)

In <4310147@hpindda.cup.hp.com> ananth@hpindda.cup.hp.com (AP Anantharaman) writes:

>ID to (ID=-2).  Is there way to modify HP unix kernel?
>So, root on client can create and modify directory as root.

I myself use the following shellscript:

#! /bin/sh
#
# PATCH THE KERNEL ON DISK OR IN MEMORY
#

if [ $# != 1 ]
then
	echo 'Usage: PATCH_KERNEL [MEMORY|DISK|BOTH]'
	exit
fi

case $1 in
	MEMORY)
		adb -w /hp-ux /dev/kmem << EOFMEM
		nobody/W0
		EOFMEM
		;;
	DISK)
		adb -w /hp-ux << EOFDISK
		nobody?W0
		EOFDISK
		;;
	BOTH)
		adb -w /hp-ux /dev/kmem << EOFBOTH
		nobody?W0
		nobody/W0
		EOFBOTH
		;;
	*)
		echo 'Usage: PATCH_KERNEL [MEMORY|DISK|BOTH]'
		;;
esac

-- 
Fred J.R. Appelman, 3D Computer Vision, Utrecht University
AZU, Heidelberglaan 100, 3584 CX Utrecht, The Netherlands.
Telephone: +31-30-506710 Fax: +31-30-513399
e-mail: fred@cv.ruu.nl or appelman@cs.unc.edu