paul@mecazh.UUCP (Paul Breslaw) (02/19/90)
My original question was how to set root permissions on NFS mounted file systems. johnb@hpubvwa.HP.COM (John Blommers) writes: > This is not the brightest thing to do to your servers, you know, > since any root user on any client can now accidentally do a dread > rm * on some part of the server file system, buying you big > headaches. I asked it because we have the following situation:- At present we have a 340 cluster server with 1.1Gb of disk. We have graduated to more diskless nodes than can be handled by one cluster server, so have bought a second (and soon a third). There is no need to split up our existing file systems. We are adding another 1Gb of disk on the second server, and will split the disk load between servers. Then we can provide a single 'virtual' file system, by cross-mounting the file systems. Now I don't want to know which cluster server exports which file systems in order to perform some administrative task. I simply want to do it from whichever machine I happen to be logged in on (as root). We do not have "any root user on any client", our diskless users are not super users. So what should I do? Paul Breslaw -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Paul Breslaw, Mecasoft SA, | telephone : 41 1 362 2040 Guggachstrasse 10, CH-8057 Zurich, | e-mail : mcsun!chx400!mecazh!paul Switzerland. | paul@mecazh.UUCP
markf@hpupnja.HP.COM (Mark Fresolone) (02/20/90)
>This has to do with using adb to edit the unix kernel and change >the value of nobody from -2 to zero. > >This is not the brightest thing to do to your servers, you know, >since any root user on any client can now accidentally do a dread >rm * on some part of the server file system, buying you big >headaches. It may be even worse than that... users mounting your volumes from Personal Computers (via PC-NFS) also receive the "nobody" user ID. When you give "nobody" super-user access, "anybody" with a PC can ruin your day. #include <disclaimer.h> Mark Fresolone
human@hpindda.HP.COM (Aaron Schuman) (02/21/90)
Paul Breslaw> Now I don't want to know which cluster server exports Paul Breslaw> which file systems in order to perform some administrative Paul Breslaw> task. I simply want to do it from whichever machine I Paul Breslaw> happen to be logged in on (as root). Paul Breslaw> We do not have "any root user on any client", our diskless Paul Breslaw> users are not super users. So what should I do? The mapping of root to nobody is, of course, intended to prevent the wild propagation of root privilege across an NFS network. You seem very confident about the control of root privilege on your diskless clients. That's very good. Every system owner should be in exactly the same position. Ordinary users do not need root privilege to run their applications. But what about other systems that may connect to your server? NFS isn't used exclusively among systems in the same cluster. Can systems from outside your cluster mount your server's file systems? Have you read your /etc/exports file lately? Are there any entries in /etc/exports with only one argument? Remember that a line in /etc/exports that names a file system but doesn't list hosts or netgroups to which that file system can be exported, is offering that file system for export to every computer in the world. How's your /usr/adm/inetd.sec file set up? Do you have controls on what addresses the inet daemon will allow to access the mountd service? If you are certain that you know everybody who knows the root password on your cluster (and everybody who knows other ways of becoming root), and if you are certain that your file systems can't be exported outside of machines to which root is controlled, then the NFS mapping of root to nobody is redundant. What should you do? As an HP employee, I advise you to indulge in redundant protection, even if it costs you some functionality. As just some guy on the net, I can say that if I were in your position, I would remove the mapping of root to nobody. Ultimately, it's your responsibility. If some dishonest former employee or teenaged hacker were to break into your system and inflict damage, could you say that you had done your best?
ronw@hpuflfa.HP.COM (Ron Williams) (02/21/90)
> > Could someone kindly mail me those few instructions needed to give > root super-user privileges on NFS mounted file systems. > > I know it is something to do with a symbol called 'nobody' in the kernel, > but have forgotten the details. > > We have HP-UX 7.0 on 9000/3xx. > > > Many thanks > > Paul Breslaw > > -- > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Paul Breslaw, Mecasoft SA, | telephone : 41 1 362 2040 > Guggachstrasse 10, CH-8057 Zurich, | e-mail : mcsun!chx400!mecazh!paul > Switzerland. | paul@mecazh.UUCP > ---------- Below find a narrative that worked at 6.5 on 9000/300 & 3.1 on 9000/800. I can only assume that it works at 7.0 as well. I have not had the chance to try it. Also see below a script that uses this procedure and invokes adb in a pseudo-batch mode. Ron Williams HP Ft. Lauderdale ronw@hpfcse ------------ TEL: T-938-2278 {hpfcse}!hpuflfa!ronw FAX: T-938-2293 COMSYS: 3179 AREA CODE: 305 HPDESK: Ron Williams / HP3179/08 ______________________________________________________________________________ LAN BACKUP HINT: NFS Remote Root Access --------------------------------------- NFS is used by many customers to back up a filesystem over a LAN to another HP9000 system's tape drive. For these backups to be successful, it is usually necessary for a modification to be made to the NFS file server's kernel. This modification circumvents the NFS security feature of allowing "super-user" privileges to the local filesystem(s) to ONLY the local root account. A standard kernel on a file server will map all remote root accesses over an NFS mount (ie. a NFS client's root session accessing one of the NFS server's filesystems ) from the user-id 0 (super-user) to the user-id (UID) of -2 (nobody). A remote client's NFS backup program, executed as root, will not be able to read all the files on the server, due to the UID being mapped to -2 (nobody). In fact, no account on the remote client is likely to have the permissions to read every file on the server's filesystem (especially, the "/" filesystem). To allow a remote client to read all the files on a server and back them up, the mapping of the UID 0 to the UID -2 must be "turned off" on the NFS file server. CAVEAT: A NFS file server running a modified kernel allowing remote root access is a possible security risk. PCs on the network running PC-NFS use the UID 0 (since there is not an accounting concept on PCs) and if mapping to the UID -2 (nobody) is disabled, then PCs can effectively access the NFS file server's filesystems as super-user. NOTE: The only kernels that need to be modified are the NFS file servers, since they are the nodes that control the mapping of UID 0 over NFS mounts. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DISABLING THE MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will disabled the mapping of UID 0 to UID -2. This will allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: -2 nobody?W0 * _nobody: -2 = 0 <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RE-ENABLING MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will enabled the mapping of UID 0 to UID -2. This will NOT allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: 0 nobody?W-2 * _nobody: 0xFFFFFFFE = 0xFFFFFFFE <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Backing up disks over the LAN, whether using NFS or other methods, is not currently supported by HP. Though, there are many customers that are successful at doing this operation. The functionality of the kernel modification mentioned in this article is supported by HP. ___________________________________________________________________________ #! /bin/sh # # /etc/nfs.nobody - should be executable only by root # # routine to execute adb on kernel (default /hp-ux ) and to return # value of "nobody", i.e. mapping of 'root' user ID 0 => ? # usually: 0 => -2 (65536) # # special options: -F <value> => modify kernel file with new value # -K <value> => modify kernel memory with new value # -f => print kernel file current value # -k => print kernel memory current value # (default) set -- `getopt fkF:K: $*` if [ $? != 0 ] then echo "Usage: nfs.nobody [ -k|-f ] [ -K|-F <value> ] [ kernel-file ]" echo echo " -k => print <nobody> mapping in kernel memory" echo " -f => print <nobody> mapping in kernel file" echo " -K => change <nobody> mapping to value in kernel memory" echo " -F => change <nobody> mapping to value in kernel file" echo echo " default kernel file = /hp-ux" echo " kernel memory = /dev/kmem" exit 2 fi WRITEFLAG="" FLAG="/" for OPT in $* do case $OPT in -K) FLAG="/"; VALUE="$2" WRITEFLAG="-w" shift 2;; -k) FLAG="/"; shift;; -F) FLAG="?"; VALUE="$2" WRITEFLAG="-w" shift 2;; -f) FLAG="?"; shift;; --) shift; break;; esac done CORFIL="/dev/kmem" if [ -z "$1" ] then OBJFIL="/hp-ux" else OBJFIL="$2" fi if [ -n "$WRITEFLAG" ] then echo "nobody${FLAG}D\nnobody${FLAG}W${VALUE}\n" | adb ${WRITEFLAG} ${OBJFIL} ${CORFIL} fi echo "nobody${FLAG}D\n" | adb $OBJFIL $CORFIL | awk \ '{ if ( $1 == "nobody:" ) { if ( $2 != "" ) { if ( $2 < 0 ) { POSITIVE=65536+$2 } else { POSITIVE=$2 } printf("NFS (nobody) maps root user ID (0) => %d (%d)\n",$2,POSITIVE) } } }'