frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) (12/23/89)
I've just installed NFS on an HP9000/840 running HP-UX 3.11. Some users have now asked if they can mount their personal directories from the 840 on their office workstations. These workstations may be Suns, Decs, HPs, etc., also running NFS. For this to be successful we need to insure that they have full access to their own files, but not be able to acquire any special access to other files that may be exported along with theirs. Unfortunately HPs version of NFS requires that you export an entire file system, which is most likely going to include more than one users files. To start we need to match UIDs on the two systems and mount the directory read/write. This should accomplish the first objective: allowing the user full access to his/her own files. I'm at a loss, though, as to how to accomplish the second objective: preventing unwanted access and maintaining security for other files that might have to be exported along with his own. e.g. if he has root priviledges on his own workstation he could easily set-up UIDs to gain read/write access to files that might be denied him otherwise. Also, there might be other users on his system that have UIDs that unintentionaly match those on the HP. So my questions are 1) does anyone know a way to accomplish these objectives? and 2) are there any other concerns I need to consider before we try to offer this service? Thanks for your help, Frank Fiamingo frank@hpuxa.ircc.ohio-state.edu
plb@cbnewsi.ATT.COM (peter.l.berghold) (12/26/89)
From article <614@nisca.ircc.ohio-state.edu>, by frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo): > > I've just installed NFS on an HP9000/840 running HP-UX 3.11. Some users Congrats! > have now asked if they can mount their personal directories from the > 840 on their office workstations. These workstations may be Suns, Decs, HPs, No problem. Works fine. > [ stuff deleted ] > I'm at a loss, though, as to how to accomplish the second objective: > preventing unwanted access and maintaining security for other files > that might have to be exported along with his own. e.g. if he has root > priviledges on his own workstation he could easily set-up UIDs to gain > read/write access to files that might be denied him otherwise. Also, No quite true. A root ID on one system under NFS has a UID of -1 when going to a foreign system. So, if you are required to have ROOT access to access files on the remote system, even though you may be root on the local system you will be denied access on the remote system. I checked with my SUN counter- part here, and he tells me that this is consistant with what I have observed with the HP's. I currently have several SUN workstations that access my HP9000/855 disks and have the owner's root logins on the HP's exported to the SUNs. There has never been any security problems that I know of as a result. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | || Peter L. Berghold, AT&T, HRSAG, UUCP: att!violin!plb | | _ /| || +1 (201) 615-4419 | | \`o_O' ||============================================================ | | ( ) || Disclaimer: If you find an opinion in this posting somewhere| | U || it is no doubt mine, and not my employers. I'm the only | | Aachk! || person crazy enough to take this stand! | | Phft! || | VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
arossite@.com (Bruce Rossiter) (12/28/89)
plb@cbnewsi.ATT.COM (peter.l.berghold) writes: >frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo): [ stuff deleted ] >> I'm at a loss, though, as to how to accomplish the second objective: >> preventing unwanted access and maintaining security for other files >> that might have to be exported along with his own. e.g. if he has root >> priviledges on his own workstation he could easily set-up UIDs to gain >> read/write access to files that might be denied him otherwise. Also, > >Not quite true. A root ID on one system under NFS has a UID of -1 when > going to a foreign system. So, if you are required to have ROOT access > to access files on the remote system, even though you may be root on the > local system you will be denied access on the remote system. I checked > with my SUN counterpart here, and he tells me that this is consistant > with what I have observed with the HP's. I currently have several SUN > workstations that access my HP9000/855 disks and have the owner's root > logins on the HP's exported to the SUNs. There has never been any > security problems that I know of as a result. While what you say is true, a user with 'root' access on his workstation can easily gain access to NFS files as *anyone* except 'root'. He merely adds a entry in the password file for 'joeuser' and 'su's to that user. Now the remote system will let him do anything that 'joeuser' could do to files on the NFS mounted filesystem.(*) This is the problem I think Frank was talking about. Standard NFS has no way (that I know of) to avoid this. SUN has "Secure NFS", but I've never used it, so I don't know what problems it solves. I don't know about HP... -Bruce Rossiter arossite@oracle.oracle.com UNIX Systems Admin. uunet!oracle!arossite Oracle Corporation (*) It's even easier in a workstation environment running 'yp', where everyone has access to any workstation. You just 'su' to root, then 'su' to a user.
brnstnd@stealth.acf.nyu.edu (Dan Bernstein) (01/03/90)
(Apparently these messages weren't distributed before. Sorry.) In article <614@nisca.ircc.ohio-state.edu> frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) writes: > I've just installed NFS on an HP9000/840 running HP-UX 3.11. Some users > have now asked if they can mount their personal directories from the > 840 on their office workstations. NFS assumes that the machines have the same administrative setup. -access can do a bit of what you want, but you can't get full security. In article <1531@cbnewsi.ATT.COM> plb@cbnewsi.ATT.COM (peter.l.berghold) writes: > From article <614@nisca.ircc.ohio-state.edu>, by frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo): > > I'm at a loss, though, as to how to accomplish the second objective: > > preventing unwanted access and maintaining security for other files > > that might have to be exported along with his own. > No quite true. A root ID on one system under NFS has a UID of -1 when going > to a foreign system. But root is the only uid that's treated with such care. All other uids (and gids) are unprotected. You're not addressing the issue: NFS assumes that both machines are administered by the same people (running the same yellow pages system, if possible). Root receives special treatment only because it's so powerful. Consider the link between phoenix.princeton.edu and bogey.princeton.edu. The uids are matched but the gids aren't; so an undergraduate can access phoenix files as a graduate by logging on to bogey. The security hole there was caused by administrative negligence. Imagine the problems that could arise if bogey were somebody's personal workstation. -access (as an /etc/exports flag) is a partial solution, but it doesn't really do the job. > There has never been any security problems that I know of as a > result. Then nobody's trying very hard to break security. ---Dan