[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-nfsv4
Subject:    Kerberos/ACL on NFSv3
From:       gopal () nerur ! com (Gopal Santhanam)
Date:       2005-04-26 18:13:28
Message-ID: 200504261513.07125.gopal () nerur ! com
[Download RAW message or body]

Hi Bruce,

Great.  That did the trick!

So here's an extra tip for the security minded folks out there.  For the 
auth_unix part of the export, you can use "all_squash" and that will prevent 
read access to any sensitive files.  That way someone who has a superuser on 
an NFSv3 client cannot just unmount the volume, mount without Kerberos, use 
"su - gopal" to assume the identity of gopal, and then read all of gopal's 
files.

Cheers,
Gopal


On Tuesday 26 April 2005 13:08, J. Bruce Fields wrote:
> On Tue, Apr 26, 2005 at 12:56:28PM -0700, Gopal Santhanam wrote:
> > I want to have the server export with krb5 only and I want to mount on
> > the client with NFSv3 w/ Kerberos.
> >
> > So I have set everything up so that the server exports the directory as
> > follows:
> >
> > /export/tmp
> > gss/krb(secure,rw,sync,wdelay,hide,no_subtree_check,auth_nlm,root_squash,
> >anonuid=65534,anongid=65534)
> >
> > And then I try the following on the client:
> >
> > mount -t nfs -osec=krb5 server:/export/tmp /mnt
> >
> > I get a permission denied error.
>
> Yeah, I know.  And I'll bet the following makes the mount -osec=krb5
> work:
>
> gss/krb(secure,rw,sync,wdelay,hide,no_subtree_check,auth_nlm,root_squash,an
>onuid=65534,anongid=65534) my_ip_address_here(secure,ro,sync,....)
>
> The problem is that even though you've told mount to use sec=krb5, it
> still uses auth_unix for the initial part of the mount.
>
> The sane solution would be to teach mount and mountd to do krb5, but
> unfortunately the established and documented practice in the NFS world
> (see rfc2623) seems to be to continue using auth_unix for the mount and
> then to hack mountd/nfsd so they allow certain operations without krb5.
>
> In any case, nobody's got around to doing either of these things yet,
> which I agree is an annoyance for anyone doing nfsv3/krb5.  For now,
> adding an export line for your ip address, as above, will at least
> prevent people from getting write access to the export without krb5
> credentials.
>
> --b.

[prev in list] [next in list] [prev in thread] [next in thread]