setting anon=0 in your exports will set any unknown uid to roots uid, allowing unscrupulus people to create scripts which will execute as root and wreak havoc on your system.
Not a recommended procedure as far as system security is concerned!
Jay Tribick jay.tribick@carrier1.net 07/27/00 08:50am >>>
After on of the NT/Admins went bonkers last night moving a bunch of users to the NetApp (without consulting me first), I have found that appox 10% of the user catalogs is owned by root, with unix-style permissions are drwxrwxrwx, and I am unable to change owner or permissions from either nfs-side or using SecureShare tool on the NT.
The users are unable to write to their nfs-mounted files
At the time of migration, the usermap.cfg did not contain mapping of the Admin account/group to root, and
wafl.nt_admin_priv_map_to_root on wafl.root_only_chown on
Does anyone have a clue to what can remedy this?
Try adding anon=0 onto your options in /etc/exports - that should allow you to change permissions as long as your UID is 0 (AFAIR)
-- Regards,
Jay Tribick Senior Systems Engineer Carrier1 Voice: +44 207 531 3874 Mobile: +44 7801 526 638
setting anon=0 in your exports will set any unknown uid to roots uid, allowing unscrupulus people to create scripts which will execute as root and wreak havoc on your system.
Not a recommended procedure as far as system security is concerned!
As far as I'm aware, all anon=0 does is that it changes the default mapping of root access on NFS clients from uid=-2 to uid=0.
By default root (uid 0) on an NFS client gets mapped to uid -2 (i.e, ``no perms'') for the purposes of access control to files/directories in the export. All other users get mapped as per normal.
If you have an export option of `root=somehost:anotherhost', then root on somehost or anotherhost get mapped to uid 0, and they have full permissions.
Alternatively, if you use `anon=0', then all clients with read/write access to the filer (either explicit rw= entries, or implicit if there's no access= or rw= lines - not recommended) get root access.
This is not a problem with respect to system security if used correctly! For example, given a netgroup called `ro_clients' who you want to share a partition to read-only, and a netgroup called `mgmt_hosts' who you want to export r/w and have root being able to work, you could use something like: /vol/vol0/usrlocal access=ro_clients:mgmt_hosts,rw=mgmt_hosts,anon=0
This obliviates the need to have multiple root= entries in the export, which is good because if you have a lot of hosts you can exceed the length of an export line (probably around 1K or 4K or something like that). That's why you use netgroups, but you can't use netgroups for `root=' lines.
Again, if used correctly `anon=0' is NOT a problem. In fact, I often find it easier to manage than root= entries.
Your approach fails in two respects:
1. The machines with rw access may be multiuser machines with a security model you want to respect. Thus, you can't assume everyone with access to that machine can/should have root rw access. 2. The machines with ro access can still read all files.
Bruce
lukem@netapp.com (Luke Mewburn) writes:
As far as I'm aware, all anon=0 does is that it changes the default mapping of root access on NFS clients from uid=-2 to uid=0.
[That should be uid=65534 rather than uid=-2. Not the same thing these days!]
It may be true that this is the only thing anon= does in NetApp servers, and the na_exportfs man page implies as much, but this isn't the case on all NFS servers, so it's not exactly a good habit to get into.
In recent versions of Solaris, for example, the anon= value may be used for unauthenticated clients (AUTH_NONE, or an unsupported AUTH mode, with sec=none). One would not want to map such requests to root!
Chris Thompson University of Cambridge Computing Service, Email: cet1@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QG, Phone: +44 1223 334715 United Kingdom.
In recent versions of Solaris, for example, the anon= value may be used
for
unauthenticated clients (AUTH_NONE, or an unsupported AUTH mode, with sec=none). One would not want to map such requests to root!
I believe this is also true for Netapp.
Bruce
-
Bruce Sterling Woodcock -
Chris Thompson -
Luke Mewburn -
Timothy Cook