henk@cs.vu.nl (Henk Smit) (02/16/91)
Can someone tell me how to set up the protections in /etc/exports ? We don't want to export our NFS filesystems to the outside world, so I am trying to set up a protection scheme in /etc/exports. We have got over 200 Suns and Xterminals which all mount several filesystems. The Xterminals access their fonts over NFS. I can't list them all in the /etc/exports file, so I made a netgroup in our NIS netgroup database: our_hosts (,,cs.vu.nl) In the /etc/exports files I did put something like: /usr -acces=our_hosts,ro /home/staff1 -acces=our_hosts This worked for us under SunOS 4.0.3, although I am not totally sure anymore that it did work indeed. Unfortunatly, recently (after we have upgraded to SunOS 4.1.1) we were notified by someone outside our domain that they were able to mount our filesystems. I looked in the new manuals and found these lines in netgroup(5): <.....> The domainname field must either be the local domain name or empty for the netgroup entry to be used. This field does not limit the netgroup or provide security. The domainname field refers to the domain in which the triple is valid, not the domain containing the trusted host. <.....> WARNINGS The triple, (,,domain), allows all users and machines trusted access, and has the same effect as the triple, (,,). To correctly restrict access to a specific set of members, use the hostname and username fields of the triple. <.....> So this explains why my approach does not work (anymore). I have to make an entry that lists all hosts in our domain. The problem is, that each entry has a size limit of 1 Kb !! To overcome this problem, I've made a script that generates entries of the following form: Mhosta (hosta.cs.vu.nl,-,cs.vu.nl) Mhostb (hostb.cs.vu.nl,-,cs.vu.nl) Mhostc (hostc.cs.vu.nl,-,cs.vu.nl) Mncdu1 (ncdu1.cs.vu.nl,-,cs.vu.nl) Mncdu2 (ncdu1.cs.vu.nl,-,cs.vu.nl) MGhosts Mhosta Mhostb Mhostc MGncdus Mncdu1 Mncdu2 our_hosts MGhosts MGncdus This way I can keep the entries shorter than 1K. The problem is, this doesn't work !! When I install this netgroup entries, I can't mount any filesystems anymore. "ypmatch hosta netgroup" gives "(hosta.cs.vu.nl,-,cs.vu.nl)" "ypmatch MGhosts netgroup" gives "Mhosta Mhostb Mhostc" "ypmatch our_hosts netgroup" gives "MGhosts MGncdus" This looks all right to me. Our user netgroups a nested and they work fine, so I don't think the nesting is the problem. I have also tried entries like: Mhosta (hosta,-,cs.vu.nl) Mhosta (hosta.cs.vu.nl,-,-) My questions are the following: How do you setup your /etc/exports, do you type in all the hosts names ? Do you have another (better) scheme in your netgroups ? Do you have another mechanism to prevent NFS traffic to the outside world ? What have I done wrong ? If you want to help me, please mail me, I will summarize. Thanks in advance, Henk. -- Henk Smit Vrije Universiteit Amsterdam Internet: henk@cs.vu.nl Faculteit Informatica kamer S4.10 Phone: +31 20 548 6218 X.400: C=nl; ADMD=400net; PRMD=surf; O=vu; OU=cs; S=henk;