Ok, so I don't have the docs handy.. but if you have an "-access" options, it just seems kinda intuitive to me that you might actually *USE IT*. But maybe it's just me.
------- Start of forwarded message (RFC 934 encapsulation) ------- From: pashdown@XMISSION.COM (Pete Ashdown) Subject: Network Appliance NFS filer root hole Date: 28 Apr 1999 15:58:45 -0400 Organization: Bugtraq List Message-ID: 199904281658.KAA14944@slack.xmission.com Reply-To: Pete Ashdown pashdown@XMISSION.COM
For Network Appliance NFS filer release: NetApp Release 5.2.1: Thu Dec 31 12:56:45 PST 1998
Following "Example 1" on page 136 of the "System Administrator's Guide" for the Network Appliance results in a gaping hole. In this example, they explain that "the following line exports the root directory of the default filter volume to the administration host with root privileges."
/vol/vol0 -root=adminhost
This is all fine and good, but it also exports to the WORLD with root privileges. You have to specify either "-access", or "-rw", or "-ro" in addition to "-root" for this not to happen. When I mentioned this to my NetApp SE, I was met with quizzical looks, but no code-update or patch. Thusly, I sent it to bugtraq. ------- End -------
Am I missing something here? Granted the /vol/vol0 filesystem would be viewable by everyone, but only root on the adminhost would have root permissions on the filer. Root on all other systems would become "nobody" on the filer, and if there are configurations files that can be modified by non-root users, ........
Personally, I have root/access pairs for the roots of all the volumes on my filers.
Kendall Libby wrote:
Ok, so I don't have the docs handy.. but if you have an "-access" options, it just seems kinda intuitive to me that you might actually *USE IT*. But maybe it's just me.
------- Start of forwarded message (RFC 934 encapsulation) ------- From: pashdown@XMISSION.COM (Pete Ashdown) Subject: Network Appliance NFS filer root hole Date: 28 Apr 1999 15:58:45 -0400 Organization: Bugtraq List Message-ID: 199904281658.KAA14944@slack.xmission.com Reply-To: Pete Ashdown pashdown@XMISSION.COM
For Network Appliance NFS filer release: NetApp Release 5.2.1: Thu Dec 31 12:56:45 PST 1998
Following "Example 1" on page 136 of the "System Administrator's Guide" for the Network Appliance results in a gaping hole. In this example, they explain that "the following line exports the root directory of the default filter volume to the administration host with root privileges."
/vol/vol0 -root=adminhostThis is all fine and good, but it also exports to the WORLD with root privileges. You have to specify either "-access", or "-rw", or "-ro" in addition to "-root" for this not to happen. When I mentioned this to my NetApp SE, I was met with quizzical looks, but no code-update or patch. Thusly, I sent it to bugtraq. ------- End -------
-- Matthew Lee Stier * Fujitsu Network Communications Unix Systems Administrator | Two Blue Hill Plaza Ph: 914-731-2097 Fx: 914-731-2011 | Sixth Floor Matthew.Stier@fnc.fujitsu.com * Pearl River, NY 10965
On Wed, 28 Apr 1999, Kendall Libby wrote:
------- Start of forwarded message (RFC 934 encapsulation) ------- From: pashdown@XMISSION.COM (Pete Ashdown)
/vol/vol0 -root=adminhost
This is all fine and good, but it also exports to the WORLD with root privileges.
Are you sure it exports to all with root priviledges or does it just export to all read/write but as root only to adminhost?
Tom
On Thu, 29 Apr 1999 tkaczma@gryf.net wrote:
On Wed, 28 Apr 1999, Kendall Libby wrote:
------- Start of forwarded message (RFC 934 encapsulation) ------- From: pashdown@XMISSION.COM (Pete Ashdown)
/vol/vol0 -root=adminhost
This is all fine and good, but it also exports to the WORLD with root privileges.
Are you sure it exports to all with root priviledges or does it just export to all read/write but as root only to adminhost?
It doesn't export root privs to all, but just exporting read/write to all machines is scary enough. If I am a malicious user, I can find the mount points easily enough, mount the filesystems, and create user accounts on my machine to match any uid on the filer. After that, who needs root privs except for files owner by uid 0?
--Bryan
On Thu, 29 Apr 1999, Bryan Hess wrote:
It doesn't export root privs to all, but just exporting read/write to all machines is scary enough.
So what's your beef? _You_ told it to export to everyone read/write with one machine having root access permissions. If that wasn't what you wanted then you should have stated so with rw, ro, or access.
Tom
On Fri, 30 Apr 1999 tkaczma@gryf.net wrote:
On Thu, 29 Apr 1999, Bryan Hess wrote:
It doesn't export root privs to all, but just exporting read/write to all machines is scary enough.
So what's your beef? _You_ told it to export to everyone read/write with one machine having root access permissions. If that wasn't what you wanted then you should have stated so with rw, ro, or access.
My sirloin (au jus) is that the admin manual seems to suggest that setting up the exports file in this crazy way is an acceptable configuration. I guess that's more or less where this thread started. No big deal...
On the other hand, I have several little gripes about the NFS implementation these days:
This doesn't work in exports (everthing is read-only): /somevol -ro,access=netgroup1:netgroup2
but this does (anyone mounts read-only except read-write for those listed in the rw list): /somevol -ro,rw=host1:host2:host3
I should either be able to use -rw with netgroups, or I should be able to mix -ro and -access.
Even more odd is that netgroups nested 3 deep or more will trigger a bug making all mounts succeed, regardless of the access list, regardless of what "showmount -e" or "exportfs" reveals. That is, a netgroup pointing to a netgroup, pointing to a negroup, pointing to a host. Have you checked to see if you can mount things you shouldn't be able to recently? It can be surprising. I flattened out a few netgroups recently...
--Bryan
On Fri, 30 Apr 1999, Bryan Hess wrote:
My sirloin (au jus) is that the admin manual seems to suggest that setting up the exports file in this crazy way is an acceptable configuration.
It IS!!! It is also desirable once in a while, for example if you're booting Xterms via NFS, etc.
This doesn't work in exports (everthing is read-only): /somevol -ro,access=netgroup1:netgroup2
It's what's it is supposed to be.
but this does (anyone mounts read-only except read-write for those listed in the rw list): /somevol -ro,rw=host1:host2:host3
I should either be able to use -rw with netgroups, or I should be able to mix -ro and -access.
Doode!!! (anyone that commands respect can't be this clueless), you CAN mix ro and access as you showed earlier.
I WOULD, however, like to see netgroups in ro and rw and do away with access.
Bryan, please get a book on NFS before you dig yourself deeper into the doo. Someone here might be ingenious enough to send your boss e-mail with a job offer knowing that he has you for a sysadmin.
Tom
-
Bryan Hess -
fubar@mathworks.com -
Matthew Stier -
tkaczma@gryf.net