merworth@cs.utexas.edu (Boyd Merworth) (11/21/89)
I'm a system admin for approximately 60 HP 9000/300 series
workstations and have stumbled across a very peculiar problem
concerning root-over-nfs under HP-UX 6.5. We have various
filesystems cross-mounted on all machines within our department. This
includes VAXes, Sequents, Suns and the HPs.
First scenario. When the HP filesystems are mounted
on the Sequents, root on the sequent has the ability to modify anything
on the NFS mounted filesystem. Root-over-nfs is disabled on the HPs
(uid -2).
Second scenario. My home directory resides on an HP. I nfs mount
that filesystem onto my HP. When I su to root, sometimes my
initialization files are read, sometime not read. I use a special
prompt when running as root and reset my path. These fail to get
set when the initialization files are not read.
Has anyone else experienced this on their HP workstations running the
HP-UX 6.5 OS?
--
Boyd Merworth
The University of Texas at Austin
Department of Computer Sciences, TAY 2.124, Austin, Texas 78712
merworth@cs.utexas.edu {harvard,gatech,uunet}!cs.utexas.edu!merworthseligman@CS.Stanford.EDU (Scott Seligman) (11/21/89)
In article <7234@cs.utexas.edu> merworth@cs.utexas.edu (Boyd Merworth) writes: > Has anyone else experienced this on their HP workstations running the > HP-UX 6.5 OS? The NFS shipped with HP-UX is buggy in other ways too. I've posted reports here but haven't gotten a response: c'est la vie. It's quite frustrating to hear that the people at HP are working on wonderful things like shared libraries, while the very basic networking software that they ship doesn't work. My university is buying new equipment all the time. Some voices can be heard saying "Consider HP! Great stuff!" But someone will always add "But what about their networking software?" What can I say? I think I'll save my flame about the C compiler for another day. Scott Seligman seligman@cs.stanford.edu
dgreen@squid.cs.ucla.edu (Dan R. Greening) (11/22/89)
seligman@CS.Stanford.EDU (Scott Seligman) writes: >The NFS shipped with HP-UX is buggy in other ways too. I've posted >reports here but haven't gotten a response: c'est la vie. It's quite >frustrating to hear that the people at HP are working on wonderful >things like shared libraries, while the very basic networking software >that they ship doesn't work. My university is buying new equipment >all the time. Some voices can be heard saying "Consider HP! Great >stuff!" But someone will always add "But what about their networking >software?" What can I say? A similar experience occurred at UCLA, where we found the speed of a hostname bind to be unacceptably slow. Through various internal contacts in HP Labs, we have occasionally been able to resolve problems by acquiring "internal use only" software, such as the 6.01 named, and its corresponding finger, rlogin, etc. However, obtaining software via "who one knows" is just about the most baroque and inefficient mechanism I can imagine. Most of the packages that we've had trouble with are essentially public domain: the name server, the name binder, X11 release 3. The problem has been that HP does not immediately throw out its mods to public domain code. Thus we are forced to try to repeat what HP has done internally, if we are to keep our HPs at the same level as other manufacturers. Even the teeny "pathalias" program supplied with HP-UX 6.5 doesn't work with the current uumap format, and the last modification to pathalias was 1987. Sure it's easy to get a new version and compile it. Why should we have to? I repeat my call for HP to set up an anonymous FTP site. I think one of HPs first jobs should be to ensure that its modifications to the X11R4 server, to be released just after HPUX 7.0, will be on that anonymous FTP site as soon as possible. HP apparently could not see its reputation slide down the tube, when it failed to supply release 3 upgrades to the Xhp toolkit. A dumb move, it irritated a number of system administrators--precisely the people one doesn't want to irritate. As a result, non-HP outsiders were forced to update the Xhp toolkit--a long difficult process. Yes, there is an Xhp toolkit for release 3. No, it wasn't upgraded by HP. You can imagine what that does for HP's software reputation. Q: "Should I use the Xhp toolkit?" A: No. HP might leave you in the lurch. Finding that MIT's X11R3 server crashes on HPUX 6.5 (for me, at least), gives me a similar feeling. If you're willing to use 2 year old HP-blessed software, HPUX is probably OK. HPs software release policy is in bad need of reexamination. Maybe it works for corporate customers who don't use the latest and greatest, but it certainly has failed universities in fundamental ways. Dan Greening | NY 914-789-7861 | 12 Foster Court dgreen@cs.ucla.edu | CA 213-825-2266 | Croton-on-Hudson, NY 10520
human@hpindda.HP.COM (Aaron Schuman) (11/22/89)
Scott> I've posted reports here but haven't gotten a response: c'est la vie. HP employees often read this notes group. We respond when we have something useful to say, and alert other people to problems we can't solve. We do this as a gesture of goodwill to our customers. But notes is not the principal channel of communication between the HP staff and the customers. Having people scan a notes group to see if there's a question they want to respond to is not a foolproof way of helping every customer in every situation. HP has an excellent service department with procedures to ensure that every customer gets helped. There is a phone-in consultation service, a set of regional response centers, and factory on-line support. Every defect report and enhancement request gets catalogued and assigned to an owner. Employees are evaluated on the basis of how effectively we resolve service requests. I bet that Stanford has a service contract with HP. You should find the person in your computer administration department who knows how to use all the services HP provides. Aaron Schuman HP / Information Networks Division
dpb@viking.UUCP (Don Bennett) (11/22/89)
> I repeat my call for HP to set up an anonymous FTP site. I think one of > HPs first jobs should be to ensure that its modifications to the X11R4 > server, to be released just after HPUX 7.0, will be on that anonymous FTP > site as soon as possible. > Finding that MIT's X11R3 server crashes on HPUX 6.5 (for me, at least), > gives me a similar feeling. If you're willing to use 2 year old HP-blessed > software, HPUX is probably OK. Although I share your sentiments in general, you should restrict your particulars to things that are real problems. The X11-R3 code as shipped from MIT *does* run on HP machines without modification (at least s300), and I expect the R4 code will also. If the R3 server doesn't work for you, its for one of two reasons: (a) You're using a frame buffer they didn't support in R3; (I hear this won't be as much of a problem in R4) (b) You're using the optimizer on 6.5 - DON'T. (I agree with the folks who think that a broken optimizer is worse than useless) Don Bennett (408)433-3311 dpb@frame.com Frame Technology
markf@hpupnja.HP.COM (Mark Fresolone) (11/22/89)
>First scenario. When the HP filesystems are mounted >on the Sequents, root on the sequent has the ability to modify anything >on the NFS mounted filesystem. Root-over-nfs is disabled on the HPs >(uid -2). Sorry, I'm just not getting the question... Does a root process on the Sequent perceive root file permissions on the HP-resident files or not? I would expect remote root processes to always perceive "other" permission. The disabling you mention (UID -2) is standard NFS, and modifyable via kludge only with significant security breaching (from PCs, especially). >Second scenario. My home directory resides on an HP. I nfs mount >that filesystem onto my HP. When I su to root, sometimes my >initialization files are read, sometime not read. I use a special >prompt when running as root and reset my path. These fail to get >set when the initialization files are not read. I'm missing something again... Assuming that by "My home" you mean your non-root home, I don't see that its availability should affect the behavior of the "su" command when su-ing to root. Any initialization files read in such a case will be those of root, if any. Of course, su does behave differently regarding initialization files based on its arguments. With no arguments, su specifically overwrites both PS1 and PATH, and runs no initialization files. With the added arguments "-" or "- root", su will cause root's (i.e not your) initialization files to be read. (It does this by passing an argv[0] which begins with "-" to the shell - in particular, "-su"). Inasmuch as one cannot NFS-mount over "/", the initialization files executed by "su -" will always be those of the file system local to the su process (unless, of course, root's home is not "/" - Yuk!). Hope I'm addressing the right questions... #include <disclaimer.h> Mark Fresolone hplabs!hpfcse!hpupnja!markf
merworth@cs.utexas.edu (Boyd Merworth) (11/22/89)
> > HP has an excellent service department with procedures to ensure that every > customer gets helped. There is a phone-in consultation service, a set of > regional response centers, and factory on-line support. Every defect report > and enhancement request gets catalogued and assigned to an owner. Employees > are evaluated on the basis of how effectively we resolve service requests. > > I bet that Stanford has a service contract with HP. You should find the > person in your computer administration department who knows how to use all the > services HP provides. > > Aaron Schuman > > HP / Information Networks Division I posted my article concerning the root-over-nfs problem after discussions with the HP Response Center and after being given an SR number. The Response Center cannot even give an estimated time as to when the poblem will receive attention. This is not the first time I've reported bugs to HP and never received any fixes. It's almost always "it will be included in the next release of the OS if possible". This is a very unsatisfactory response. Our site has Software Support from HP and I use the Response Center frequently. It just seems that it is always a one way tunnel. I report the problem but most of the time never receive any patch for the software from HP. -- Boyd Merworth The University of Texas at Austin Department of Computer Sciences, TAY 2.124, Austin, Texas 78712 merworth@cs.utexas.edu {harvard,gatech,uunet}!cs.utexas.edu!merworth
cheeks@edsr.eds.com (Mark Costlow) (11/23/89)
In article <3613@frame.UUCP>, dpb@viking.UUCP (Don Bennett) writes: > > The X11-R3 code as shipped from MIT *does* run on HP machines > without modification (at least s300), and I expect the R4 code will also. > Yes, but will it run for more that 8 hours of heavy use without dumping core? I really really really wish it would. Hopefully R4 will be an improvement. > > Don Bennett (408)433-3311 > dpb@frame.com > Frame Technology Mark Costlow SysAdmin cheeks@edsr.eds.com or ...!uunet!edsr!cheeks
dgreen@squid.cs.ucla.edu (Dan R. Greening) (11/23/89)
In article <3613@frame.UUCP> dpb@viking.UUCP (Don Bennett) writes: >Although I share your sentiments in general, you should restrict >your particulars to things that are real problems. > >If the R3 server doesn't work for you, its for one of two reasons: >(a) You're using a frame buffer they didn't support in R3; > (I hear this won't be as much of a problem in R4) >(b) You're using the optimizer on 6.5 - DON'T. > (I agree with the folks who think that a broken optimizer > is worse than useless) The answer is probably "b". The software engineer I talked to at HP didn't mention that possibility, so in a sense it was a real problem. (Some of us assume optimizers work.) The missing R3 Xhp toolkit, and the lack of adequate networking software are real problems. An anonymous FTP site, if kept up-to-date, would help solve similar problems in the future. Comments from HP? Dan Greening | NY 914-789-7861 | 12 Foster Court dgreen@cs.ucla.edu | CA 213-825-2266 | Croton-on-Hudson, NY 10520
tai@hpiag0.IAG.HP.COM (Tai Jin) (11/23/89)
>I repeat my call for HP to set up an anonymous FTP site. I think one of >HPs first jobs should be to ensure that its modifications to the X11R4 >server, to be released just after HPUX 7.0, will be on that anonymous FTP >site as soon as possible. I'm not sure if you are talking about HP supported software or user contributed software. If HP sets up an anonymous FTP site then it is assumed that the software provided is HP supported. I think it is more wise to set up a user contributed software archive at some university. To that end I've gathered some software from within HP that could be made available from an FTP archive site. What I got wasn't much, but it's a start. The software is available from Columbia U (columbia.edu) -- contact Chris Maio (chris@columbia.edu). But I must ask all you customers out there to please contribute to an archive near you. If you already have an archive, please let everyone know about it. One I know about is the University of Tromsoe (sfd.uit.no) and another is the Swedish Institute of Space Physics (I don't know the domain name for this one, but Bo Thide has posted here many times). >HPs software release policy is in bad need of reexamination. Maybe it works >for corporate customers who don't use the latest and greatest, but it >certainly has failed universities in fundamental ways. I agree with you. I know that the universities have a need to run the latest software available and that our current software release cycles do not meet this need. It does take time to "productize" software. And it's also possible that your favorite public domain software will never become a product. But if someone in HP ports the software then I see no reason why it should not be made available. Now I don't know that there is an overall policy regarding the distribution of such software. I have made available software that I've ported (eg. BIND). However, it gets sticky when the software is being "productized" -- the owner of the product makes the decision. The owner is probably mostly concerned with meeting the product deadline. And providing early releases of the software can take away valuable time from those working on the product (due to having to support the software). So what we need is an efficient scheme for customers to get early releases of software while benefitting both HP and the customers. Do you have any suggestions? >Dan Greening | NY 914-789-7861 | 12 Foster Court >dgreen@cs.ucla.edu | CA 213-825-2266 | Croton-on-Hudson, NY 10520 ...tai "speaking for myself and hopefully for others"
irf@kuling.UUCP (Bo Thide') (11/23/89)
For all of you who report problems with the HP9000/300 HP-UX 6.5 cc optimizer (-O flag): There is a patch available that fixes all(?) problems with the compiler optimizer. Ask your HP contact person. We did and got it the next day. Several programs that didn't run OK with th original 6.5 cc -O now do. I assume this patch has been applied to the HP-UX 7.0 cc for the 300s. Bo
irf@kuling.UUCP (Bo Thide') (11/24/89)
In article <2130002@hpiag0.IAG.HP.COM> tai@hpiag0.IAG.HP.COM (Tai Jin) writes: >>I repeat my call for HP to set up an anonymous FTP site. I think one of [text deleted] >let everyone know about it. One I know about is the University of Tromsoe >(sfd.uit.no) and another is the Swedish Institute of Space Physics (I don't >know the domain name for this one, but Bo Thide has posted here many times). My INTERNET address is bt@irfu.se. Unfortunately, we cannot FTP yet (hopefully this will change for the better in March/April 1990). Being a member of the board for the Swedish National HP Users Group (SWENUG) with special repsoinsbility for HP9000 users, I have suggested that SWEWNUG porucres an HP9000/300 and set it up as a contributed software archive supporting both FTP and UUCP. If everything work as planned, such a machine will be up within a few months. Our ambition will be to make as much contributed software as possible available on this machine. If you joinf your local Users Group and at the same time INTEREX (the international organization of local users groups) you will be entitled to get the HP Contributed Software Library for HP9000 machines. The interesting thing with this particular software is that is has been quality assured (QA) by HP! Bo ^ Bo Thide'-------------------------------------------------------------- | | Swedish Institute of Space Physics, S-755 91 Uppsala, Sweden |I| [In Swedish: Institutet f|r RymdFysik, Uppsalaavdelningen (IRFU)] |R| Phone: (+46) 18-403000. Telex: 76036 (IRFUPP S). Fax: (+46) 18-403100 /|F|\ INTERNET: bt@irfu.se UUCP: ...!uunet!sunic!irfu!bt ~~U~~ -----------------------------------------------------------------sm5dfw
garvey@cmic.UUCP (Joe Garvey) (11/25/89)
In article <1261@kuling.UUCP>, irf@kuling.UUCP (Bo Thide') writes: > For all of you who report problems with the HP9000/300 HP-UX 6.5 cc optimizer > (-O flag): There is a patch available that fixes all(?) problems with > the compiler optimizer. Ask your HP contact person. We did and got it > the next day. Several programs that didn't run OK with th original > 6.5 cc -O now do. I assume this patch has been applied to the HP-UX 7.0 > cc for the 300s. As the summary says... how about posting it here! This is the first I've heard of a patch. I did pick up a notice of the problem off the net from HP... but it said nothing of a patch (if I remember correctly). -- Joe Garvey UUCP: {apple,backbone}!versatc!mips!cmic!garvey California Microwave Internet: mips.com!cmic!garvey 990 Almanor Ave HP Desk: xxx ("mips!cmic!garvey")/hp1900/ux Sunnyvale, Ca, 94086 800-831-3104 (outside CA) 408-720-6439 (let it ring) 800-824-7814 (inside CA) We recently appeared in the maps. If your site is up to date, we're there.
tml@hemuli.atk.vtt.fi (Tor Lillqvist) (11/25/89)
In article <2130002@hpiag0.IAG.HP.COM> tai@hpiag0.IAG.HP.COM (Tai Jin) writes:
If you already have an archive, please let everyone know about it.
I have a little of this and that ported to HP-UX available here at
hemuli.atk.vtt.fi. Internet address 130.188.52.2. No, don't ask for
stuff by mail.
So what we need is an efficient scheme for customers to get
early releases of software while benefitting both HP and the
customers. Do you have any suggestions?
Does HP consider the changes it has had to make to freely available
software likes RCS, sendmail and ftp proprietary? (I can guess the
answer, and I suppose the same goes for the other vendors, too, so we
can't flame HP for that.) I guess it is no hope that HP would make
these changes public, so that those who want to compile the latest
ftp, for instance, wouldn't have to figure it out themselves. After
all, there wouldn't be much left of the ARPA/Berkeley Services product
if these changes were made publicly available :-)
--
Tor Lillqvist, VTT/ATKmagnar@sfd.uit.no (Magnar Antonsen) (11/28/89)
In article 1786 Tai Jin writes: >contribute to an archive near you. If you already have an archive, please >let everyone know about it. One I know about is the University of Tromsoe >(sfd.uit.no) and another is the Swedish Institute of Space Physics (I don't >know the domain name for this one, but Bo Thide has posted here many times). University of Tromsoe (sfd.uit.no) has offered anonymous FTP the last year from hpserv1@sfd.uit.no. The address is 128.39.60.50. Our site contains public domain software picked up from sites all over the world in addition to SW developed by ourself. The Computer Science Dept. have 65 9000/3xx computers and most of the software are tested and runs at least on this platform (HP workstations since 87). In particular, we tries to offer the latest versions in Gnu software from Free Software Foundation. At present we have approximately 100 Mbyte available for anonymous FTP. We are interested in distributing contributed software from HP, we have the disk capacity available, and have been offering this kind of service for some time. There is obvious a need for this kind of efficient distribution to high-tech HP customer with access to the Internet. HP probably needs several sites like this; at least one on each side of the Atlantic. Univ. of Tromsoe would be suited to distribute software to the European HP customer. Several articles have pointed out the need for and the advantages of a service like this, and have been giving several arguments why this is needed. Someone in HP should decide how they will respond to these ideas.
ronw@hpuflfa.HP.COM (Ron Williams) (12/02/89)
> First scenario. When the HP filesystems are mounted > on the Sequents, root on the sequent has the ability to modify anything > on the NFS mounted filesystem. Root-over-nfs is disabled on the HPs > (uid -2). > > Boyd Merworth > The University of Texas at Austin > Department of Computer Sciences, TAY 2.124, Austin, Texas 78712 > merworth@cs.utexas.edu {harvard,gatech,uunet}!cs.utexas.edu!merworth Below find some INFO to address the UID=-2 for root on HP-UX and a way to change it!!! Please note there are no warranties, guarantees about how long this procedure will continue to work, i.e. HP-UX rev ???? Ron Williams HP Ft. Lauderdale ronw@hpfcse ------------ TEL: T-938-2278 {hpfcse}!hpuflfa!ronw FAX: T-938-2293 COMSYS: 3179 AREA CODE: 305 HPDESK: Ron Williams / HP3179/08 ______________________________________________________________________________ LAN BACKUP HINT: NFS Remote Root Access --------------------------------------- NFS is used by many customers to back up a filesystem over a LAN to another HP9000 system's tape drive. For these backups to be successful, it is usually necessary for a modification to be made to the NFS file server's kernel. This modification circumvents the NFS security feature of allowing "super-user" privileges to the local filesystem(s) to ONLY the local root account. A standard kernel on a file server will map all remote root accesses over an NFS mount (ie. a NFS client's root session accessing one of the NFS server's filesystems ) from the user-id 0 (super-user) to the user-id (UID) of -2 (nobody). A remote client's NFS backup program, executed as root, will not be able to read all the files on the server, due to the UID being mapped to -2 (nobody). In fact, no account on the remote client is likely to have the permissions to read every file on the server's filesystem (especially, the "/" filesystem). To allow a remote client to read all the files on a server and back them up, the mapping of the UID 0 to the UID -2 must be "turned off" on the NFS file server. CAVEAT: A NFS file server running a modified kernel allowing remote root access is a possible security risk. PCs on the network running PC-NFS use the UID 0 (since there is not an accounting concept on PCs) and if mapping to the UID -2 (nobody) is disabled, then PCs can effectively access the NFS file server's filesystems as super-user. NOTE: The only kernels that need to be modified are the NFS file servers, since they are the nodes that control the mapping of UID 0 over NFS mounts. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DISABLING THE MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will disabled the mapping of UID 0 to UID -2. This will allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: -2 nobody?W0 * _nobody: -2 = 0 <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RE-ENABLING MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will enabled the mapping of UID 0 to UID -2. This will NOT allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: 0 nobody?W-2 * _nobody: 0xFFFFFFFE = 0xFFFFFFFE <CTRL-D> * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Backing up disks over the LAN, whether using NFS or other methods, is not currently supported by HP. Though, there are many customers that are successful at doing this operation. The functionality of the kernel modification mentioned in this article is supported by HP.
merworth@cs.utexas.edu (Boyd Merworth) (12/21/89)
In article <140010@hpuflfa.HP.COM>, ronw@hpuflfa.HP.COM (Ron Williams) writes: > > A standard kernel on a file server will map all > remote root accesses over an NFS mount (ie. a NFS client's root session > accessing one of the NFS server's filesystems ) from the user-id 0 > (super-user) to the user-id (UID) of -2 (nobody). A remote client's NFS > backup program, executed as root, will not be able to read all the files > on the server, due to the UID being mapped to -2 (nobody). In fact, no > account on the remote client is likely to have the permissions to read > every file on the server's filesystem (especially, the "/" filesystem). > To allow a remote client to read all the files on a server and back them > up, the mapping of the UID 0 to the UID -2 must be "turned off" on the > NFS file server. Again, this is what is wrong. In my kernel, _nobody = -2. This still allows root from a (non-HP) client to access any mounted filesystem from the HP fileserver and make changes. IT'S BUSTED! I can repeat it without failure. On the client, I mount a filesystem from the HP fileserver running HP-UX 6.5. I become root on the client, I cd to the NFS mounted filesystem, I do anything I like. Here's what's in the kernel: taklamak# adb /hp-ux /dev/mem executable file = /hp-ux core file = /dev/mem ready _nobody?D _nobody: -2 taklamak# I have not modified _nobody in the kernel. I've reported it to the HP Response Center. A local CE from HP came to my office and I showed him what happens, he verified it to the Response Center. I still have not receive a solution from the HP Response Center, although they have issued an SR but have no idea as to when the SR will be completed. I am supposed to receive HPUX 7.0 sometime after Feburary 21, 1990, that's the estimated shipping date. I can only hope that this situation has been corrected in the new release, but I seriously doubt it. -- Boyd Merworth The University of Texas at Austin Department of Computer Sciences, TAY 2.124, Austin, Texas 78712 merworth@cs.utexas.edu {harvard,gatech,uunet}!cs.utexas.edu!merworth