[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
Frank Batschulat (Home) wrote: > On Tue, 09 Dec 2008 21:11:40 +0100, Tom Haynes > wrote: > > >> Kyle McDonald wrote: >> >>> Tom Haynes wrote: >>> Kyle McDonald wrote: > Functionally what's the difference between allowing root nfs access > with root=*, and allowing it with anon=0? > > I have a JumpStart filesystem that was shared through > /etc/dfs/dfstab with '-o sec=sys,ro,anon=0'. On this file system > there are files that are owned by root and mode 600. During > jumpstart these files can be copied fine. > > WHen I was converting to use sharemgr, at first I missed the fact > that it has an 'anon=0' option, and decided to used 'root=*' > instead. For some reason this broke things, those same files > couldn't be copied. > > Switching back to 'anon=0' fixed things again. > > Why? > > The onnly difference I can see is that root= allows a list of hosts, > but when used with an * it should work the same as anon=0 right? > > > You can't use root with a '*'. >>> Then the sharemgr man page needs updating. :) >>> >>> It says that the syntax is root=access_list, where an access_list is >>> any of: *, hostname, netgroup, domainname.suffix, or network. >>> >>> >> Okay, I always go to share and not sharemgr. And I know from my >> experience with share, that root does >> not support wildcards... >> >> I agree that the sharemgr(1M) man page states that a '*' is allowed for >> an access_list. >> >> I also agree that I think it is not working. >> >> If also think the '*' is not working for rw: >> >> [root at jhereg ~]> sharemgr create mygroup >> [root at jhereg ~]> sharemgr add-share -s /tomper mygroup >> [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw=\* mygroup >> [root at jhereg ~]> share >> foo at mygroup /tomper sec=sys,root=*,rw=* "" >> >> And: >> >> [root at pnfs-9-25 ~]> mount jhereg:/tomper /tomper >> nfs mount: mount: /tomper: Permission denied >> [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper >> nfs mount: mount: /tomper: Permission denied >> >> If I make the change: >> >> [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw mygroup >> [root at jhereg ~]> share >> foo at mygroup /tomper sec=sys,root=*,rw "" >> >> And: >> >> [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper >> [root at pnfs-9-25 ~]> cd /tomper >> [root at pnfs-9-25 /tomper]> touch jilted >> [root at pnfs-9-25 /tomper]> ls -la >> total 287055 >> drwxrwxrwx 3 th199096 staff512 Dec 9 14:06 . >> drwxr-xr-x 36 root root 38 Dec 8 14:10 .. >> -rw-r--r-- 1 th199096 staff 83610 Dec 8 14:21 >> -rw-r--r-- 1 root root6904 Dec 8 14:23 acl.snoop >> -rw-r--r-- 1 root root7416 Dec 8 14:20 aclv4.snoop >> drwxr-xr-x 3 th199096 staff512 Dec 4 03:10 archives-nightly-osol >> -rw-r--r-- 1 th199096 staff 80146 Dec 8 14:24 av3 >> -rw-r--r-- 1 nobody nobody 0 Dec 2 17:46 eg >> -rw-r--r-- 1 th199096 staff 0 Dec 2 16:21 it >> -rw-r--r-- 1 nobody nobody 0 Dec 9 14:06 jilted >> >> We see that it was created with the wrong uid/gid. >> >> I think you should submit a bug. >> > > I've filed > > 6784573 sharemgr and access_list=* do not get along > http://monaco.sfbay/detail.jsf?cr=6784573 > > to keep track of this issue. > I also mentioned this in the bug I filed yesterday about all the other sharemgr inconsistencies I found. I dont' have a CR# for that one yet though. -Kyle > >> IMHO, the share output should have shown something like the second >> output for the >> rw=* case. >> ___ >> nfs-discuss mailing list >> nfs-discuss at opensolaris.org >> >> > > > >
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
On Fri, 12 Dec 2008 15:44:10 +0100, Frank Batschulat (Home) wrote: > I've filed > > 6784573 sharemgr and access_list=* do not get along > http://monaco.sfbay/detail.jsf?cr=6784573 of course that should have been instead: http://bugs.opensolaris.org/view_bug.do?bug_id=6784573 once it becomes public visible. --- frankB
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
On Tue, 09 Dec 2008 21:11:40 +0100, Tom Haynes wrote: > Kyle McDonald wrote: >> Tom Haynes wrote: >>> Kyle McDonald wrote: Functionally what's the difference between allowing root nfs access with root=*, and allowing it with anon=0? I have a JumpStart filesystem that was shared through /etc/dfs/dfstab with '-o sec=sys,ro,anon=0'. On this file system there are files that are owned by root and mode 600. During jumpstart these files can be copied fine. WHen I was converting to use sharemgr, at first I missed the fact that it has an 'anon=0' option, and decided to used 'root=*' instead. For some reason this broke things, those same files couldn't be copied. Switching back to 'anon=0' fixed things again. Why? The onnly difference I can see is that root= allows a list of hosts, but when used with an * it should work the same as anon=0 right? >>> >>> You can't use root with a '*'. >> Then the sharemgr man page needs updating. :) >> >> It says that the syntax is root=access_list, where an access_list is >> any of: *, hostname, netgroup, domainname.suffix, or network. >> > > Okay, I always go to share and not sharemgr. And I know from my > experience with share, that root does > not support wildcards... > > I agree that the sharemgr(1M) man page states that a '*' is allowed for > an access_list. > > I also agree that I think it is not working. > > If also think the '*' is not working for rw: > > [root at jhereg ~]> sharemgr create mygroup > [root at jhereg ~]> sharemgr add-share -s /tomper mygroup > [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw=\* mygroup > [root at jhereg ~]> share > foo at mygroup /tomper sec=sys,root=*,rw=* "" > > And: > > [root at pnfs-9-25 ~]> mount jhereg:/tomper /tomper > nfs mount: mount: /tomper: Permission denied > [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper > nfs mount: mount: /tomper: Permission denied > > If I make the change: > > [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw mygroup > [root at jhereg ~]> share > foo at mygroup /tomper sec=sys,root=*,rw "" > > And: > > [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper > [root at pnfs-9-25 ~]> cd /tomper > [root at pnfs-9-25 /tomper]> touch jilted > [root at pnfs-9-25 /tomper]> ls -la > total 287055 > drwxrwxrwx 3 th199096 staff512 Dec 9 14:06 . > drwxr-xr-x 36 root root 38 Dec 8 14:10 .. > -rw-r--r-- 1 th199096 staff 83610 Dec 8 14:21 > -rw-r--r-- 1 root root6904 Dec 8 14:23 acl.snoop > -rw-r--r-- 1 root root7416 Dec 8 14:20 aclv4.snoop > drwxr-xr-x 3 th199096 staff512 Dec 4 03:10 archives-nightly-osol > -rw-r--r-- 1 th199096 staff 80146 Dec 8 14:24 av3 > -rw-r--r-- 1 nobody nobody 0 Dec 2 17:46 eg > -rw-r--r-- 1 th199096 staff 0 Dec 2 16:21 it > -rw-r--r-- 1 nobody nobody 0 Dec 9 14:06 jilted > > We see that it was created with the wrong uid/gid. > > I think you should submit a bug. I've filed 6784573 sharemgr and access_list=* do not get along http://monaco.sfbay/detail.jsf?cr=6784573 to keep track of this issue. > IMHO, the share output should have shown something like the second > output for the > rw=* case. > ___ > nfs-discuss mailing list > nfs-discuss at opensolaris.org > -- frankB It is always possible to agglutinate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea.
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
Tom Haynes wrote: > Kyle McDonald wrote: >> Functionally what's the difference between allowing root nfs access >> with root=*, and allowing it with anon=0? >> >> I have a JumpStart filesystem that was shared through /etc/dfs/dfstab >> with '-o sec=sys,ro,anon=0'. On this file system there are files that >> are owned by root and mode 600. During jumpstart these files can be >> copied fine. >> >> WHen I was converting to use sharemgr, at first I missed the fact >> that it has an 'anon=0' option, and decided to used 'root=*' instead. >> For some reason this broke things, those same files couldn't be copied. >> >> Switching back to 'anon=0' fixed things again. >> >> Why? >> >> The onnly difference I can see is that root= allows a list of hosts, >> but when used with an * it should work the same as anon=0 right? >> >> > > You can't use root with a '*'. Then the sharemgr man page needs updating. :) It says that the syntax is root=access_list, where an access_list is any of: *, hostname, netgroup, domainname.suffix, or network. > > The real difference is that anon does not have to mean a root mapping > and what happens if you > mix the two. I knew there were other ways to be anonymous, but in my case it seemed the two should be equivalent. > > > This should give you a start at understanding the interactions. > That's what I thought, but didn't realize that the root=* wasn't allowed. I've got other complaints about sharemgr though, but I'll save them for another thread (or maybe a bug report.) -Kyle
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
Kyle McDonald wrote: > Tom Haynes wrote: >> Kyle McDonald wrote: >>> Functionally what's the difference between allowing root nfs access >>> with root=*, and allowing it with anon=0? >>> >>> I have a JumpStart filesystem that was shared through >>> /etc/dfs/dfstab with '-o sec=sys,ro,anon=0'. On this file system >>> there are files that are owned by root and mode 600. During >>> jumpstart these files can be copied fine. >>> >>> WHen I was converting to use sharemgr, at first I missed the fact >>> that it has an 'anon=0' option, and decided to used 'root=*' >>> instead. For some reason this broke things, those same files >>> couldn't be copied. >>> >>> Switching back to 'anon=0' fixed things again. >>> >>> Why? >>> >>> The onnly difference I can see is that root= allows a list of hosts, >>> but when used with an * it should work the same as anon=0 right? >>> >>> >> >> You can't use root with a '*'. > Then the sharemgr man page needs updating. :) > > It says that the syntax is root=access_list, where an access_list is > any of: *, hostname, netgroup, domainname.suffix, or network. > Okay, I always go to share and not sharemgr. And I know from my experience with share, that root does not support wildcards... I agree that the sharemgr(1M) man page states that a '*' is allowed for an access_list. I also agree that I think it is not working. If also think the '*' is not working for rw: [root at jhereg ~]> sharemgr create mygroup [root at jhereg ~]> sharemgr add-share -s /tomper mygroup [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw=\* mygroup [root at jhereg ~]> share foo at mygroup /tomper sec=sys,root=*,rw=* "" And: [root at pnfs-9-25 ~]> mount jhereg:/tomper /tomper nfs mount: mount: /tomper: Permission denied [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper nfs mount: mount: /tomper: Permission denied If I make the change: [root at jhereg ~]> sharemgr set -P nfs -S sys -p root=\*,rw mygroup [root at jhereg ~]> share foo at mygroup /tomper sec=sys,root=*,rw "" And: [root at pnfs-9-25 ~]> mount -o vers=4,sec=sys jhereg:/tomper /tomper [root at pnfs-9-25 ~]> cd /tomper [root at pnfs-9-25 /tomper]> touch jilted [root at pnfs-9-25 /tomper]> ls -la total 287055 drwxrwxrwx 3 th199096 staff512 Dec 9 14:06 . drwxr-xr-x 36 root root 38 Dec 8 14:10 .. -rw-r--r-- 1 th199096 staff 83610 Dec 8 14:21 -rw-r--r-- 1 root root6904 Dec 8 14:23 acl.snoop -rw-r--r-- 1 root root7416 Dec 8 14:20 aclv4.snoop drwxr-xr-x 3 th199096 staff512 Dec 4 03:10 archives-nightly-osol -rw-r--r-- 1 th199096 staff 80146 Dec 8 14:24 av3 -rw-r--r-- 1 nobody nobody 0 Dec 2 17:46 eg -rw-r--r-- 1 th199096 staff 0 Dec 2 16:21 it -rw-r--r-- 1 nobody nobody 0 Dec 9 14:06 jilted We see that it was created with the wrong uid/gid. I think you should submit a bug. IMHO, the share output should have shown something like the second output for the rw=* case.
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
Functionally what's the difference between allowing root nfs access with root=*, and allowing it with anon=0? I have a JumpStart filesystem that was shared through /etc/dfs/dfstab with '-o sec=sys,ro,anon=0'. On this file system there are files that are owned by root and mode 600. During jumpstart these files can be copied fine. WHen I was converting to use sharemgr, at first I missed the fact that it has an 'anon=0' option, and decided to used 'root=*' instead. For some reason this broke things, those same files couldn't be copied. Switching back to 'anon=0' fixed things again. Why? The onnly difference I can see is that root= allows a list of hosts, but when used with an * it should work the same as anon=0 right? What am I missing? -Kyle
[nfs-discuss] What's the difference between 'root=*' and 'anon=0'
Kyle McDonald wrote: > Functionally what's the difference between allowing root nfs access with > root=*, and allowing it with anon=0? > > I have a JumpStart filesystem that was shared through /etc/dfs/dfstab > with '-o sec=sys,ro,anon=0'. On this file system there are files that > are owned by root and mode 600. During jumpstart these files can be > copied fine. > > WHen I was converting to use sharemgr, at first I missed the fact that > it has an 'anon=0' option, and decided to used 'root=*' instead. For > some reason this broke things, those same files couldn't be copied. > > Switching back to 'anon=0' fixed things again. > > Why? > > The onnly difference I can see is that root= allows a list of hosts, but > when used with an * it should work the same as anon=0 right? > > You can't use root with a '*'. The real difference is that anon does not have to mean a root mapping and what happens if you mix the two. If you look at the share_nfs(1M) man page, only hosts in the root access list have root permissions. If a host is not in that list (which is empty by default), then root access from that host is mapped to the anonymous user ID. So, a dirty way to give all hosts root access is to say anon=0. But the anonymous id is also used when the security flavor is none. Say there is a share: /tomper sec=krb5,rw,sec=none,rw,anon=55 This states that if your security flavor is krb5, then you have your uid. If your flavor is anything else, then you get mapped to uid 55. So if you come in with AUTH_SYS, you and everyone else will have that UID. And then file permissions apply to whether you have access or not. If you only have: /tomper sec=krb5,rw,anon=55 Then it means that the only security flavor allowed in is krb5 and if you are root, your uid will be 55. Some more: /tomper sec=krb5:krb5i:krb5p,rw,[email protected],anon=55 States that all kerberized access is allowed, hosts from the 10.0.0.0/8 subnet have root access, and hosts from outside that subnet have their root access mapped to uid 55. This should give you a start at understanding the interactions. > What am I missing? > > -Kyle > > > ___ > nfs-discuss mailing list > nfs-discuss at opensolaris.org >
