[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-nfsv4
Subject: Kerberos/ACL on NFSv3
From: gopal () nerur ! com (Gopal Santhanam)
Date: 2005-04-26 18:13:28
Message-ID: 200504261513.07125.gopal () nerur ! com
[Download RAW message or body]
Hi Bruce,
Great. That did the trick!
So here's an extra tip for the security minded folks out there. For the
auth_unix part of the export, you can use "all_squash" and that will prevent
read access to any sensitive files. That way someone who has a superuser on
an NFSv3 client cannot just unmount the volume, mount without Kerberos, use
"su - gopal" to assume the identity of gopal, and then read all of gopal's
files.
Cheers,
Gopal
On Tuesday 26 April 2005 13:08, J. Bruce Fields wrote:
> On Tue, Apr 26, 2005 at 12:56:28PM -0700, Gopal Santhanam wrote:
> > I want to have the server export with krb5 only and I want to mount on
> > the client with NFSv3 w/ Kerberos.
> >
> > So I have set everything up so that the server exports the directory as
> > follows:
> >
> > /export/tmp
> > gss/krb(secure,rw,sync,wdelay,hide,no_subtree_check,auth_nlm,root_squash,
> >anonuid=65534,anongid=65534)
> >
> > And then I try the following on the client:
> >
> > mount -t nfs -osec=krb5 server:/export/tmp /mnt
> >
> > I get a permission denied error.
>
> Yeah, I know. And I'll bet the following makes the mount -osec=krb5
> work:
>
> gss/krb(secure,rw,sync,wdelay,hide,no_subtree_check,auth_nlm,root_squash,an
>onuid=65534,anongid=65534) my_ip_address_here(secure,ro,sync,....)
>
> The problem is that even though you've told mount to use sec=krb5, it
> still uses auth_unix for the initial part of the mount.
>
> The sane solution would be to teach mount and mountd to do krb5, but
> unfortunately the established and documented practice in the NFS world
> (see rfc2623) seems to be to continue using auth_unix for the mount and
> then to hack mountd/nfsd so they allow certain operations without krb5.
>
> In any case, nobody's got around to doing either of these things yet,
> which I agree is an annoyance for anyone doing nfsv3/krb5. For now,
> adding an export line for your ip address, as above, will at least
> prevent people from getting write access to the export without krb5
> credentials.
>
> --b.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic