henk@cs.vu.nl (Henk Smit) (02/16/91)
Can someone tell me how to set up the protections in /etc/exports ?
We don't want to export our NFS filesystems to the outside world, so I am
trying to set up a protection scheme in /etc/exports. We have got over
200 Suns and Xterminals which all mount several filesystems. The Xterminals
access their fonts over NFS.
I can't list them all in the /etc/exports file, so I made a netgroup in our
NIS netgroup database:
our_hosts (,,cs.vu.nl)
In the /etc/exports files I did put something like:
/usr -acces=our_hosts,ro
/home/staff1 -acces=our_hosts
This worked for us under SunOS 4.0.3, although I am not totally sure anymore
that it did work indeed.
Unfortunatly, recently (after we have upgraded to SunOS 4.1.1) we were
notified by someone outside our domain that they were able to mount our
filesystems. I looked in the new manuals and found these lines in netgroup(5):
<.....>
The domainname field must either be the local domain name or
empty for the netgroup entry to be used. This field does
not limit the netgroup or provide security. The domainname
field refers to the domain in which the triple is valid, not
the domain containing the trusted host.
<.....>
WARNINGS
The triple, (,,domain), allows all users and machines
trusted access, and has the same effect as the triple, (,,).
To correctly restrict access to a specific set of members,
use the hostname and username fields of the triple.
<.....>
So this explains why my approach does not work (anymore).
I have to make an entry that lists all hosts in our domain.
The problem is, that each entry has a size limit of 1 Kb !!
To overcome this problem, I've made a script that generates entries of the
following form:
Mhosta (hosta.cs.vu.nl,-,cs.vu.nl)
Mhostb (hostb.cs.vu.nl,-,cs.vu.nl)
Mhostc (hostc.cs.vu.nl,-,cs.vu.nl)
Mncdu1 (ncdu1.cs.vu.nl,-,cs.vu.nl)
Mncdu2 (ncdu1.cs.vu.nl,-,cs.vu.nl)
MGhosts Mhosta Mhostb Mhostc
MGncdus Mncdu1 Mncdu2
our_hosts MGhosts MGncdus
This way I can keep the entries shorter than 1K.
The problem is, this doesn't work !!
When I install this netgroup entries, I can't mount any filesystems anymore.
"ypmatch hosta netgroup" gives "(hosta.cs.vu.nl,-,cs.vu.nl)"
"ypmatch MGhosts netgroup" gives "Mhosta Mhostb Mhostc"
"ypmatch our_hosts netgroup" gives "MGhosts MGncdus"
This looks all right to me. Our user netgroups a nested and they work fine,
so I don't think the nesting is the problem.
I have also tried entries like:
Mhosta (hosta,-,cs.vu.nl)
Mhosta (hosta.cs.vu.nl,-,-)
My questions are the following:
How do you setup your /etc/exports, do you type in all the hosts names ?
Do you have another (better) scheme in your netgroups ?
Do you have another mechanism to prevent NFS traffic to the outside world ?
What have I done wrong ?
If you want to help me, please mail me, I will summarize.
Thanks in advance,
Henk.
--
Henk Smit Vrije Universiteit Amsterdam
Internet: henk@cs.vu.nl Faculteit Informatica kamer S4.10
Phone: +31 20 548 6218
X.400: C=nl; ADMD=400net; PRMD=surf; O=vu; OU=cs; S=henk;