That's quite true and a valid point. However, how do you handle
something like, say, an export that contains home directories? We have
thousands of home directories that we deal with every day. It can't
possibly be expected of us to modify the exports on the filer for every
single new user we add. Not only would that make the exports file
cumbersome and long, it's simply a step backward in supportability.
The example I gave of using client-side options in /etc/fstab to secure
a mount was simply one example. In our environment of course we have
all of our exports set up with the appropriate netgroups and users given
the appropriate permissions. However, this problem extends even to the
point that *this* is a problem. Take this, for example:
[EMAIL PROTECTED] ~]$ ypcat -k auto.tool | grep site-
site-lib -intr eng:/vol/vol18/site-config/provision/site-lib
site-config -intr eng:/vol/vol18/&
[EMAIL PROTECTED] ~]$ grep vol18 /tool/eng-vol0/etc/exports
/vol/vol18 -sec=sys,[EMAIL PROTECTED],[EMAIL PROTECTED],anon=4058
/vol/vol18/site-config/provision/site-lib
-sec=sys,[EMAIL PROTECTED],[EMAIL PROTECTED],anon=4058
So we have /tool/site-config exported read-write to the world (@pcd is
all our hosts), but root only has permissions on the @tx_admin_nodes.
There is a subdirectory (site-lib) that we have explicitly exported (and
properly locked down) that is read-write *as root* to the world. The
reasons that this directory structure were necessary is beyond the scope
of this e-mail.
So with RHEL3 and RHEL4, this worked great. You could have both
/tool/site-config and /tool/site-lib mounted on a system and the correct
permissions would be set.
But with RHEL5, if you mount /tool/site-lib *first*, then you get root
read/write permissions to /tool/site-config! And vice-versa, if you
mount /tool/site-config first, you *lose* root permissions on
/tool/site-lib!
Certainly this can't be seen by the NFS maintainers as "correct"?!
Surely *somebody* sees this and goes "crap! That's not what we intended!"
Or are Ian and I the only ones dismayed by this change?
Paul Krizak 5900 E. Ben White Blvd. MS 625
Advanced Micro Devices Austin, TX 78741
Linux/Unix Systems Engineering Phone: (512) 602-8775
Silicon Design Division Cell: (512) 791-0686
Brian Long wrote:
On Fri, 2007-05-04 at 16:51 +0800, Ian Kent wrote:
<snip> I could see how a sysadmin could set up
something like this expecting it to be secure.
A sysadmin should know that client-side security is not full
security. :) Exports on the NFS server should be written such that
subdirectories are exported with the proper permissions to the proper
groups of hosts (or even users with NFSv4). This is one argument CIFS
had over NFS until NFSv4: user-level authentication.
/Brian/
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
