rogerj@batcomputer.tn.cornell.edu (Roger Jagoda) (01/21/90)
Folks,
We have been "coping" with what may be a security "feature" on the
NeXTs, but I just wanted to be sure what everyone else thought. We run a
NeXT lab with 5 fileservers (660 MB disks, 2 partitions-"/" and
"/clients") and 25 diskless (well 40 MB accelerators on-board, but still
being booted via BOOTP from the servers) client NeXTs. We export "/" on
all the servers with the following line in /etc/exports:
/ -root=SERVER1:SERVER2:SERVER3:SERVER4:SERVER5
/clients/CLIENT1 -access=CLIENT2,root-CLIENT2
/clients/CLIENT2 -access=CLIENT2,root-CLIENT2
/clients/CLIENT2 -access=CLIENT2,root-CLIENT2
/clients/CLIENT2 -access=CLIENT2,root-CLIENT2
/clients/CLIENT2 -access=CLIENT2,root-CLIENT2
Now, there's also an entry for fstab niloaded into the "/" top-most
netinfo domain that tells everyone to mount the user directory under "/"
from the servers:
nidump fstab / gives:
server1:/Users /Net nfs rw,bg,intr,net,noquota 0 0
server2:/Users /Net nfs rw,bg,intr,net,noquota 0 0
server3:/Users /Net nfs rw,bg,intr,net,noquota 0 0
server4:/Users /Net nfs rw,bg,intr,net,noquota 0 0
server5:/Users /Net nfs rw,bg,intr,net,noquota 0 0
So now all the clients mount /Users from all the servers. This way any
student sitting in fron of any machine will find their home directories
(well there's more, but for now, that's enough background)
For "root" at any client, however, we're having some problems. Although
root on the servers can dwrite and dread into the /.NeXT directory on
the servers, the same uid (root) on any client get the message:
"can't right into database"
after a dwrite or dread command. This is annoying. Root on all our
machines would, ideally, like to have certain things on the dock,
defaults, etc. On the servers it's no problem, but the clients are
having no luck. Now, root on a client, has it's home directory on the
server's "/" directory, right? At least this is what is indicated from
the following:
niutil -read / /machines/<client>
gives:
root=<server>:/ private=server:/clients/<client>@/private
Now, doesn't this say that the client's root directory is the server's
"/" directory and its private directory is the server's
/clients/<client> directory (made from running newclient <client>
command) mounted at /private? Or have I really got it messed up? If this
is true, why can't "root" on the client read the /.NeXT defaults
database?
My suspicion was that an nfs mounted "root" id on the clients wasn't
really a valid id to the server where the .NeXT database lives. Is that
what is meant when during bootup, a client says it is "faking root
mounts"? Well, I'd like for root on any client to use the same .dock and
.NeXTdefaults.D,L and other database files so my administrators can all
use the same tools. I thought I solved that problem with the -root entry
in /etc/exports but I guess not? So, did I really mess things up or is
this a "feature" of nfs mounted file-systems?
Thanks in advance for any insights!
Roger Jagoda
Systems Coordinator
Cornell Computer Services
220 CCC/Garden Ave
(FQOJ@CORNELLA.CIT.CORNELL.EDU)
(607) 255-8960 eps@toaster.SFSU.EDU (Eric P. Scott) (01/21/90)
[evading your specific question] We don't give our clients root access to / because it would create a nasty security problem (that you might not have). Administration can be performed from anywhere by logging in to the server and su'ing. /NextAdmin/NetInfoManager -NXHost client et al. works just fine. -=EPS=-