Hi Im mounting the mount point via an xterm su - 'd to root in the user's gui......I then open a new xterm and cd to the mount pount /nfs1 and then cd into the "user" and edit files as I want...
I am editing files forged user that is in IPA with its forged UID.... So on the RHEL NFS server looking at the mount point /home which is exprted as /nfs1 and user home dir "thing2" I have file2....chmod'd to 0600 even.... ========= [root@vuwuniconfsipa1 thing2]# ls -aln total 12 drwx------. 2 125800040 125800040 4096 May 9 17:13 . drwxr-xr-x. 23 0 0 4096 May 9 14:40 .. -rw-rw-r--. 1 125800040 125800040 0 May 9 14:45 file -rw-------. 1 125800040 125800040 108 May 9 17:13 file2 -rw-rw-r--. 1 125800040 125800040 0 May 9 15:34 file3 [root@vuwuniconfsipa1 thing2]# ls -al total 12 drwx------. 2 thing2 thing2 4096 May 9 17:13 . drwxr-xr-x. 23 root root 4096 May 9 14:40 .. -rw-rw-r--. 1 thing2 thing2 0 May 9 14:45 file -rw-------. 1 thing2 thing2 108 May 9 17:13 file2 -rw-rw-r--. 1 thing2 thing2 0 May 9 15:34 file3 [root@vuwuniconfsipa1 thing2]# ========= On ubuntu, ========= thing2@thing-KVM:~$ cd /nfs1/ thing2@thing-KVM:/nfs1$ ls -l total 0 thing2@thing-KVM:/nfs1$ cd .. thing2@thing-KVM:/$ su - Password: root@thing-KVM:~# mount -t nfs 130.195.53.203:/home/ /nfs1 root@thing-KVM:~# logout thing2@thing-KVM:/$ cd /nfs1/ thing2@thing-KVM:/nfs1$ ls -l total 96 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 buchanj1 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 irwinph drwxr-xr-x 4 4294967294 4294967294 4096 2012-05-10 09:27 jonesst1 drwx------ 2 4294967294 4294967294 16384 2012-02-08 03:10 lost+found drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 nelsonde drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 nfsnobody drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 sabitoan drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 share drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 smithsi drwx------ 8 4294967294 4294967294 4096 2012-02-13 15:18 ssj10 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj11 drwx------ 7 4294967294 4294967294 4096 2012-02-14 10:12 ssj12 drwx------ 2 4294967294 4294967294 4096 2012-02-13 14:23 ssj3 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:27 ssj4 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:39 ssj5 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj6 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj7 drwx------ 8 4294967294 4294967294 4096 2012-02-13 14:46 ssj8 drwx------ 2 4294967294 4294967294 4096 2012-05-09 17:13 thing2 drwx------ 2 4294967294 4294967294 4096 2012-02-08 21:26 tranwa drwx------ 23 4294967294 4294967294 4096 2012-02-13 10:10 tthing thing2@thing-KVM:/nfs1$ cd thign2 -bash: cd: thign2: No such file or directory thing2@thing-KVM:/nfs1$ cd thing2 thing2@thing-KVM:/nfs1/thing2$ ls -l total 4 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 14:45 file -rw------- 1 4294967294 4294967294 108 2012-05-09 17:13 file2 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 15:34 file3 thing2@thing-KVM:/nfs1/thing2$ vi file2 thing2@thing-KVM:/nfs1/thing2$ =========== and I can edit and save the file using vi.....kind of hard to show but the size changes, =========== thing2@thing-KVM:/nfs1/thing2$ ls -l total 4 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 14:45 file -rw------- 1 4294967294 4294967294 112 2012-05-10 09:54 file2 -rw-rw-r-- 1 4294967294 4294967294 0 2012-05-09 15:34 file3 thing2@thing-KVM:/nfs1/thing2$ ========== [jonesst1@vuwunicorh6ws05 ~]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroupboot-LogVolroot 4.8G 755M 3.9G 17% / tmpfs 1004M 272K 1004M 1% /dev/shm /dev/sda1 194M 71M 114M 39% /boot /dev/mapper/VolGroupboot-LogVolhome 48G 184M 46G 1% /home /dev/mapper/VolGroupboot-LogVolopt 2.0G 35M 1.9G 2% /opt /dev/mapper/VolGroupboot-LogVoltmp 4.9G 140M 4.5G 3% /tmp /dev/mapper/VolGroupboot-LogVolusr 9.7G 2.3G 7.0G 25% /usr /dev/mapper/VolGroupboot-LogVolvar 3.9G 953M 2.8G 26% /var /dev/mapper/VolGroupboot-LogVolaudit 3.9G 91M 3.6G 3% /var/log/audit 130.195.53.203:/home/thing2 58G 182M 55G 1% /nfs1/thing2 [jonesst1@vuwunicorh6ws05 ~]$ cd /nfs1/ [jonesst1@vuwunicorh6ws05 nfs1]$ ls -al total 12 drwxr-xr-x. 3 root root 0 May 9 16:19 . dr-xr-xr-x. 36 root root 4096 May 9 16:17 .. drwx------. 2 thing2 thing2 4096 May 10 09:54 thing2 [jonesst1@vuwunicorh6ws05 nfs1]$ ls -aln total 12 drwxr-xr-x. 3 0 0 0 May 9 16:19 . dr-xr-xr-x. 36 0 0 4096 May 9 16:17 .. drwx------. 2 125800040 125800040 4096 May 10 09:54 thing2 [jonesst1@vuwunicorh6ws05 nfs1]$ cd thing2 -bash: cd: thing2: Permission denied [jonesst1@vuwunicorh6ws05 nfs1]$ =========== So an IPA user jonesst1 getting into IPA user thing2 is denied.......so login as thing2, =========== [jonesst1@8kxl72s ~]$ ssh vuwunicorh6ws05.ods.vuw.ac.nz -l thing2 thi...@vuwunicorh6ws05.ods.vuw.ac.nz's password: Last login: Thu May 10 10:05:46 2012 from 130.195.245.249 Kickstarted on 2012-02-08 [thing2@vuwunicorh6ws05 ~]$ cd nfs1 [thing2@vuwunicorh6ws05 nfs1]$ ls -l total 0 lrwxrwxrwx. 1 thing2 thing2 12 May 9 15:34 thing2 -> /nfs1/thing2 [thing2@vuwunicorh6ws05 nfs1]$ cd thing2 [thing2@vuwunicorh6ws05 thing2]$ ls -aln total 8 drwx------. 2 125800040 125800040 4096 May 10 09:54 . drwxr-xr-x. 3 0 0 0 May 9 16:19 .. -rw-rw-r--. 1 125800040 125800040 0 May 9 14:45 file -rw-------. 1 125800040 125800040 112 May 10 09:54 file2 -rw-rw-r--. 1 125800040 125800040 0 May 9 15:34 file3 [thing2@vuwunicorh6ws05 thing2]$ tail file2 blah blah blah4 blah5 dddddubuntu ubuntu2 blah5 no2 ubuntu2 chmod is 0600 ubuntu via ssh add [thing2@vuwunicorh6ws05 thing2]$ =========== so...Im confused.... =========== [root@vuwuniconfsipa1 thing2]# more /etc/exports #/home *(rw,sync,all_squash,insecure) /home *(rw,sec=sys:krb5:krb5i:krb5p) [root@vuwuniconfsipa1 thing2]# ========== Should sec=sys be there? No idea what Im doing wrong.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 10 May 2012 9:38 a.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] insecure IPA'd NFS Steven Jones wrote: > I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6 workstation > clients doing NFS via automount as per section 10.3 admin guide > 6.3beta....all good until I use a Ubuntu client to 'attack it" I find the > non-IPA's ubuntu client can delete, alter and edit files......kind of > Oops....I think there is a stage missing in the doc or a bug.......can > someone have a look at that doc and tell me if a step is missing please? I think more details are needed on what you set up. How is the Ubuntu client mounting the NFS mount? As what user are you changing files? rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users