We have not seen the need to allow all machines root access to our NFS filers. Though we are not using Solaris 8, we have a good mix of Solaris 2.5.1, 2.6, and 7. We make a copy of our netgroup table and copy it to the filers /etc directory. The exports file is set-up so that those listed in the "systems_l" netgroup have read/write access, and only those listed as root have root access. I truncated my directory listing to show you hat I do not have any files/directories wide open, (777 permissions). I use Solaris 2.6 in my case and I have not heard of this begin a problem for our Solaris 7 users either.
My point is that there should be no reason why you need to give all the systems on your network root permissions on your network filers or open the home directories all the way. We have some users who set the permissions on their home directories to 700 without problems.
take a look at your configuration. I would suggest adding security with netgroup files or use the anon=0 option. -gdg
[root@cdsd01] rsh edmonton exportfs /vol/vol0 -access=systems_l,root=cdsd01.mslp.ti.com [root@cdsd01]
melon10[84]% ls -la total 961 drwxr-xr-x 26 geen mspadmin 4096 May 16 08:31 . dr-xr-xr-x 4 root root 4 May 17 12:36 .. -rw-rw-r-- 1 geen mspadmin 2320 May 3 16:00 .artistLog -rw-r--r-- 1 geen mspadmin 9868 Feb 11 13:22 .cdsplotinit -rw-rw-r-- 1 geen mspadmin 5734 Jun 5 1999 .cshrc -rwxrwxr-x 1 geen mspadmin 606 Jun 12 1995 .cshrc.apollo -rwxr-xr-x 1 geen mspadmin 4393 Aug 29 1997 .cshrc_gdg -rwxr-xr-x 1 geen mspadmin 10996 May 14 1998 .cshrc_mentor -rw-rw-r-- 1 geen mspadmin 6296 Oct 27 1999 .cshrc_mgc -rw-rw-r-- 1 geen mspadmin 4734 May 10 10:46 .cshrc_user -rw-r--r-- 1 geen mspadmin 2258 May 5 1999 .desksetdefaults drwxr-xr-x 15 geen mspadmin 4096 May 16 08:15 .dt -rwxr-xr-x 1 geen mspadmin 5420 Nov 19 1998 .dtprofile drwx------ 2 geen mail 4096 Nov 13 1998 .elm -rw-r----- 1 geen mspadmin 74 Apr 25 15:53 .exrc drwx------ 6 geen mspadmin 4096 Jan 8 1998 .fm -rw-rw-r-- 1 geen mspadmin 60 Feb 21 1999 .forward
"Thaller Horst (MDCA Villach)" wrote:
The "root"-option is more secure, but this setting has one big drawback: You cannot use netgroup names with the -root option and you can specify only 256 host names!
If you have only few machines, the -root option is the better choice. In large server farms with more than 256 machines that are running CDE+dtlogin (XDMCP) the -root option will not work.
Horst
-----Original Message----- From: Bruce Sterling Woodcock [mailto:sirbruce@ix.netcom.com] Sent: Freitag, 19. Mai 2000 16:00 To: Thaller Horst (MDCA Villach); bhaskar.g@philips.com; toasters@mathworks.com Subject: Re: Problem in Saving CDE Settings
I think it´s a problem with the permissions on your home directory. The dtlogin process (CDE) reads and writes configuration files in the homedirectory (~/.dtlogin/..). The owner of the process is root --> But
root
has not permissions on mounted directories!
Try out to export your homedirecties with the "anon=0"-flag in
/etc/exports
-or- you should open your homedirectories for everybody (chmod 777 homedir)
:-((
to avoid this problem.
Yikes! Both are very insecure choices for a solution!!!
The correct answer is to simply export the home directories with root access for those machines that are running CDE that they are logging in through.
Bruce
-- --------------------------------------------------------------- G D Geen mailto:geen@ti.com Texas Instruments Phone : (214)480.7896 System Administrator FAX : (214)480.7676 --------------------------------------------------------------- Life is what happens while you're busy making other plans. -J. Lennon