rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) (12/05/90)
Hi net-people, I just started to administrating HP 9000 series 425-T workstations. I set one up as NFS server and others as clients. When I create directory on client's NFS mounted disk at user ID root (ID=0), a created directory ID become 65534, not as root. Friend of mind told me that this is a feature of NFS, unix kernel will set clients root (ID=0) ID to (ID=-2). Is there way to modify HP unix kernel? So, root on client can create and modify directory as root. Thanks for help!! ----------------------------------------------------------------- Rocky Shiotsuki Internet: rocky@puscs.poly.edu Polytechnic University 128.238.5.8 333 Jay Street,Bklyn,NY 11201
ananth@hpindda.cup.hp.com (AP Anantharaman) (12/06/90)
/ hpindda:comp.sys.hp / rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) / 10:57 am Dec 4, 1990 / Hi net-people, I just started to administrating HP 9000 series 425-T workstations. I set one up as NFS server and others as clients. When I create directory on client's NFS mounted disk at user ID root (ID=0), a created directory ID become 65534, not as root. Friend of mind told me that this is a feature of NFS, unix kernel will set clients root (ID=0) ID to (ID=-2). Is there way to modify HP unix kernel? So, root on client can create and modify directory as root. Thanks for help!! ----------------------------------------------------------------- Rocky Shiotsuki Internet: rocky@puscs.poly.edu Polytechnic University 128.238.5.8 333 Jay Street,Bklyn,NY 11201 ---------- Go into adb and set the variable nobody to 0. It is a 4 byte word so use capital W to set the value.
frank@hpwrce.HP.COM (Frank Stutzman) (12/06/90)
>65534, not as root. Friend of mind told me that this is >a feature of NFS, unix kernel will set clients root (ID=0) >ID to (ID=-2). Is there way to modify HP unix kernel? >So, root on client can create and modify directory as root. Your friend is correct. This behavior is a feature of NFS. Below I have included a cookbook method on how to change this root mapping to accomplish what you want. I just hope you understand the ramifications of what you are doing. You are opening up security perhaps to a dangerous level (you will have to look at your particular environment to define exactly what "dangerous" means). You are probably aware that your are opening up your system to allow changes to be made on your system by other root users, but are you aware that you will also allowing users of PCs running PC-NFS to do the same thing? Ok, enough of the big-boy warnings... NFS is used by many customers to back up a filesystem over a LAN to another HP9000 system's tape drive. For these backups to be successful, it is usually necessary for a modification to be made to the NFS file server's kernel. This modification circumvents the NFS security feature of allowing "super-user" privileges to the local filesystem(s) to ONLY the local root account. A standard kernel on a file server will map all remote root accesses over an NFS mount (ie. a NFS client's root session accessing one of the NFS server's filesystems ) from the user-id 0 (super-user) to the user-id (UID) of -2 (nobody). A remote client's NFS backup program, executed as root, will not be able to read all the files on the server, due to the UID being mapped to -2 (nobody). In fact, no account on the remote client is likely to have the permissions to read every file on the server's filesystem (especially, the "/" filesystem). To allow a remote client to read all the files on a server and back them up, the mapping of the UID 0 to the UID -2 must be "turned off" on the NFS file server. CAVEAT: A NFS file server running a modified kernel allowing remote root access is a possible security risk. PCs on the network running PC-NFS use the UID 0 (since there is not an accounting concept on PCs) and if mapping to the UID -2 (nobody) is disabled, then PCs can effectively access the NFS file server's filesystems as super-user. NOTE: The only kernels that need to be modified are the NFS file servers, since they are the nodes that control the mapping of UID 0 over NFS mounts. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DISABLING THE MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will disabled the mapping of UID 0 to UID -2. This will allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: -2 nobody?W0 * _nobody: -2 = 0 <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RE-ENABLING MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will enabled the mapping of UID 0 to UID -2. This will NOT allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: 0 nobody?W-2 * _nobody: 0xFFFFFFFE = 0xFFFFFFFE <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Backing up disks over the LAN using NFS is not currently supported by HP. Though, there are many customers that are successful at doing this operation. The functionality of the kernel modification mentioned in this article is supported by HP. |=============================================================================| |Frank Stutzman | "What is wanted is not the will | |Hewlett-Packard Western Response Center | to believe, but the will to | |Mtn. View, Ca | find out, which is the exact | |frank@hpwrc.hp.com | opposite." -Bertrand Russell | |=============================================================================|
jr@bwilab3.UUCP (Eugene W Coleman) (12/06/90)
In article <1990Dec4.185735.9667@polyof.poly.edu>, rocky@polyof.poly.edu (A1 rocky shiotsuki (staff) ) writes: > I just started to administrating HP 9000 series 425-T > workstations. I set one up as NFS server and others as > clients. When I create directory on client's NFS mounted > disk at user ID root (ID=0), a created directory ID become > 65534, not as root. Friend of mind told me that this is > a feature of NFS, unix kernel will set clients root (ID=0) > ID to (ID=-2). Is there way to modify HP unix kernel? > So, root on client can create and modify directory as root. The following solution is the only one that I'm aware of. If anyone knows any other way(s) please post them or E-mail them to me. Thanks Everyone hold on, we are about to use 'adb' on the kernal !!!!!!! Here we go: Login as root type 'adb -w /hp-ux' th system may kick and buck with one or two messages then type 'nobody?D' this will display the decimal value of nobody. (probably -2) type 'nobody?W0' this will write a '0' into the 'nobody' parameter. type a <ctrl>d this will exit 'adb' Now you are ready to reboot your system. Hope this helps. Remember that the words "Always" and "Never" only apply somtimes. ******************************************************************************* * Eugene W. Coleman, Jr | Bradley Ward Inc. | Mental Marksman at Large * * (404) 396-4292 | Atlanta, Ga 30328 | * * That place we call %*@!&$! ...uunet!gatech!galbp!bwilab3!jr * * * * HP always asks 'What if', We can't stop asking 'WHY' ? * * * *******************************************************************************
fred@prisma.cv.ruu.nl (Fred Appelman) (12/06/90)
In <4310147@hpindda.cup.hp.com> ananth@hpindda.cup.hp.com (AP Anantharaman) writes: >ID to (ID=-2). Is there way to modify HP unix kernel? >So, root on client can create and modify directory as root. I myself use the following shellscript: #! /bin/sh # # PATCH THE KERNEL ON DISK OR IN MEMORY # if [ $# != 1 ] then echo 'Usage: PATCH_KERNEL [MEMORY|DISK|BOTH]' exit fi case $1 in MEMORY) adb -w /hp-ux /dev/kmem << EOFMEM nobody/W0 EOFMEM ;; DISK) adb -w /hp-ux << EOFDISK nobody?W0 EOFDISK ;; BOTH) adb -w /hp-ux /dev/kmem << EOFBOTH nobody?W0 nobody/W0 EOFBOTH ;; *) echo 'Usage: PATCH_KERNEL [MEMORY|DISK|BOTH]' ;; esac -- Fred J.R. Appelman, 3D Computer Vision, Utrecht University AZU, Heidelberglaan 100, 3584 CX Utrecht, The Netherlands. Telephone: +31-30-506710 Fax: +31-30-513399 e-mail: fred@cv.ruu.nl or appelman@cs.unc.edu