--- Steve Losen scl@sasha.acc.virginia.edu wrote:
To: toasters@mathworks.com Subject: NFS access problem going from 6.4.4 to 7.0.1R1 Date: Sun, 04 Sep 2005 10:02:55 -0400 From: Steve Losen scl@sasha.acc.virginia.edu
We recently replaced our F820c pair running 6.4.4 with a FAS3050c pair running 7.0.1R1.
Formerly we were doing something admittedly questionable to protect unauthorized NFS mounts from networks where we do not have complete physical control. We have a public lab of Unix workstations that NFS mount home directories from our filers. This is insecure because someone can bring in a Unix laptop configured with the same IP address as a workstation and move the network cable from the workstation to the laptop, and thereby get NFS access on the laptop. The laptop owner has root so he can su to any UID that he wants, thereby getting access to any user's files.
Our solution was to write a "netgroup server" that temporarily added a NFS client to a netgroup just long enough for the client to mount and then removed the client from the netgroup. Only root on the NFS client had access to the shared secret that authenticated the client to the netgroup server. While not perfect, this made the laptop attack much more difficult.
This worked fine under 6.4.4. Once the NFS client had its mounts, it did not seem to matter to the filer that the client disappeared from the netgroup. However, this is not the case under 7.0.1R1. We have found that certain NFS operations cause the filer to recheck the netgroup information and when it discovers that the client is no longer in the netgroup, it denies further access.
I realize that we need to be looking at a "real" solution (NFSv4 ? NFS over IPsec ?). But I was wondering if there was something simple that I could do in the meantime, perhaps an obscure NFS option on the filer.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support