[ale] nfs problems

Ken Nagorski kenn at pcintelligent.com
Sun Jun 10 01:02:18 EDT 2001


Hi there,

	Thank you for your reply. Howver, The umask is not the
problem. The directory I am having problems with is owned by the same user
that is trying to work from it. Also I am using the no_root_sqaush and
even root has the same problems.

	I know nfs is inscure. I wouldn't use it in a production
system. This is just a home thing behind a firewall, but that doesn't mean
much to a someone who really wants in... 

Thanks
Ken



 On Sat, 9 Jun 2001, Dow Hurst wrote:

> Ken,
> Make sure first that the directory the mount is mounted on is properly
> accessible.  Here is an example of how a problem can occur if the
> default umask for root is 027:
> 
> su
> umask 027
> mkdir /nfs.remotemachine
> mount remotemachine:/exported /nfs.remotemachine
> exit
> 
> Now any common user can't write to the mounted directory since the
> underlying mount point has permissions of 750 instead of 755.  The mount
> command will mask this by displaying the remote directory's permissions:
> 
> su
> ls -l /nfs.remotemachine (while mounted)
> drwxr-xr-x  root.sys /nfs.remotemachine
> umount /nfs.remotemachine
> ls -l /nfs.remotemachine
> drwxr-x---  root.sys /nfs.remotemachine
> 
> See how the masking can work?  The underlying mount point's permissions
> will override the mounted filesystem permissions.  To fix this just
> unmount your NFS filesystems and inspect/correct the mount point
> permissions.  A default umask of 027 is useful at times but can create
> situations like this.  Also, the options in /etc/exports can keep root
> from writing to a NFS mounted file system.
> 
> NFS is so inherently insecure that you should understand the options
> thoroughly before exporting.  UDP is the protocol underlying traditional
> NFS so spoofing UID/GIDs is trivial since no TCP type threeway handshake
> is used.  Setup a VPN first and then run NFS thru it.  Linux, I believe,
> has a TCP based version of NFS that is more secure.  Use that if
> possible.  Real World Linux Security discusses this.  Under IRIX, which
> is what we have here, we have to use UDP but run through a SSH/PPP based
> VPN.  Hope this helps,
> Dow
> 
> 
> Ken Nagorski wrote:
> > 
> > Hi there,
> > 
> >         I recently started using nfs to export /home among other
> > things. Here is the deal I seem to have a hard time with file permissions,
> > (maybe) I am not sure that is the answer.
> > 
> >         For instance I get some stuff I downloaded right. I say tar xvfz
> > package.tar.gz I keeps complaining that it can't create package/<whatever>
> > no such file or directory. Now when It is all done I see the it did create
> > that package dir but it is empty.
> > 
> >         I am using slackware 7.1 with 2.4.5 kernels for both. Obvoiusly I
> > have nfs compiled in and set up or it wouldn't even mount the drives...
> > 
> >         I am confused. What would casue this. I haven't found anything
> > about it in the howto's nothing in any error logs I see. I am stumped???
> > 
> > Ken
> > 
> > --
> > IMPORTANT: This email is intended for the use of the individual addressee(s)
> > named above and may contain information that is confidential, privileged
> > or unsuitable for overly sensitive persons with low self-esteem, no sense
> > of humour or irrational religious beliefs. If you are not the intended
> > recipient, any dissemination, distribution or copying of this email is not
> > authorised (either explicitly or implicitly) and constitutes an irritating
> > social faux pas.
> > 
> > Unless the word absquatulation has been used in its correct context somewhere
> > other than in this warning, it does not have any legal or no grammatical use
> > and may be ignored. No animals were harmed in the transmission of this email,
> > although the kelpie next door is living on borrowed time, let me tell you.
> > Those of you with an overwhelming fear of the unknown will be gratified to
> > learn that there is no hidden message revealed by reading this warning
> >  backwards, so just ignore that Alert Notice from Microsoft.
> > 
> > However, by pouring a complete circle of salt around yourself and your
> > computer you can ensure that no harm befalls you and your pets. If you
> > have received this email in error, please add some nutmeg and egg whites,
> > whisk and place in a warm oven for 40 minutes.
> > 
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> 
> 

-- 
IMPORTANT: This email is intended for the use of the individual addressee(s)
named above and may contain information that is confidential, privileged
or unsuitable for overly sensitive persons with low self-esteem, no sense 
of humour or irrational religious beliefs. If you are not the intended 
recipient, any dissemination, distribution or copying of this email is not 
authorised (either explicitly or implicitly) and constitutes an irritating 
social faux pas. 

Unless the word absquatulation has been used in its correct context somewhere
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning
 backwards, so just ignore that Alert Notice from Microsoft. 

However, by pouring a complete circle of salt around yourself and your 
computer you can ensure that no harm befalls you and your pets. If you 
have received this email in error, please add some nutmeg and egg whites, 
whisk and place in a warm oven for 40 minutes. 

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list