Yes, I was also concerned about security. These nfs directories might only be *used* in those two scenarios, but their existence also affects stateless and stateful nodes. An attacker can simply mount those two directories to any machine on campus, install xCAT, and then manipulate the images to her heart's content, such as inject bitcoin miners. She can then also run genimage/packimage and make the images available to PXE boot.
It might help to change the shares from rw to ro, but that might break statelite nodes? _______________________________________________________________________ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 *REMEMBER! **No one from IT at USD will ever ask to confirm or supply your password*. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Thu, Nov 29, 2018 at 1:38 AM Song BJ Yang <yang...@cn.ibm.com> wrote: > the 2 shared nfs entries will be added on xCAT installation or upgrading > or `xcatconfig -i/-f` > > these 2 nfs shared directories are only used in 2 scenarios: > 1) NFS based statelite > 2) hierarchy cluster when site.sharedtftp and site.sharedinstall > any missing scenario? > > We got some complains on this to be a security issue, we are considering > not to export these 2 directories by default, provide some command or step > to export them only needed in any of scenarios above, any comment or > suggestion? > > thanks > > ------------------------------------------------------------------------------ > YANG Song (杨嵩) > IBM China System Technology Laboratory > Tel: 86-10-82452903 > Email: yang...@cn.ibm.com > Address: Building 28, ZhongGuanCun Software Park, > No.8, Dong Bei Wang West Road, Haidian District Beijing 100193, PRC > > 北京市海淀区东北旺西路8号中关村软件园28号楼 > 邮编: 100193 > > > > ----- Original message ----- > From: Kevin Keane <kke...@sandiego.edu> > To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > Cc: > Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares? > Date: Thu, Nov 29, 2018 7:17 AM > > Yes, you appear to be correct. I just, for testing, uninstalled all of > xCAT. Then I manually removed the entries, and re-installed the xCAT RPMs. > Lo and behold - it did in fact re-create the entries (but did not remove > them when uninstalling xCAT). > > Thanks for the help! > > _______________________________________________________________________ > Kevin Keane | Systems Architect | University of San Diego ITS | > kke...@sandiego.edu > Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | > 619.260.6859 > > *REMEMBER! **No one from IT at USD will ever ask to confirm or supply > your password*. > These messages are an attempt to steal your username and password. Please > do not reply to, click the links within, or open the attachments of these > messages. Delete them! > > > > On Wed, Nov 28, 2018 at 2:51 PM Christian Caruthers <ccaruth...@lenovo.com> > wrote: > > I believe that is created when xCAT is installed. Not sure which RPM does > it, though. Possible the main xCAT or xCAT-server package. I don’t see the > file in any of the packages, so I’m guessing it’s created by a script. > > > > Regards, > > *Christian Caruthers* > > Lenovo Professional Services > > Mobile: 757-289-9872 > > > > *From:* Kevin Keane <kke...@sandiego.edu> > *Sent:* Wednesday, November 28, 2018 17:26 > *To:* xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > *Subject:* Re: [xcat-user] [External] How to restrict xCAT's NFS shares? > > > > My question is actually, how does the /etc/exports get generated, and how > do I get xCAT to generate the exports file without the world-writable > permissions? > > > > Thanks, > > _______________________________________________________________________ > Kevin Keane | Systems Architect | University of San Diego ITS | > kke...@sandiego.edu > Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | > 619.260.6859 > > *REMEMBER! **No one from IT at USD will ever ask to confirm or supply > your password*. > These messages are an attempt to steal your username and password. Please > do not reply to, click the links within, or open the attachments of these > messages. Delete them! > > > > > > > > On Wed, Nov 28, 2018 at 1:50 PM Christian Caruthers <ccaruth...@lenovo.com> > wrote: > > So long as the shares are available to your provisioning network, it > should not break anything. > > > > Regards, > > *Christian Caruthers* > > Lenovo Professional Services > > Mobile: 757-289-9872 > > > > *From:* Kevin Keane <kke...@sandiego.edu> > *Sent:* Wednesday, November 28, 2018 16:37 > *To:* xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > *Subject:* [External] [xcat-user] How to restrict xCAT's NFS shares? > > > > I noticed that xCAT shares /tftpboot and /install as world-writeable. Is > there a way to restrict these NFS shares to only the networks within the > cluster, without making them globally available? > > > > Specifically, xCAT creates this /etc/exports file: > > > > /tftpboot *(rw,no_root_squash,sync,no_subtree_check) > /install *(rw,no_root_squash,sync,no_subtree_check) > > > > I would like it to instead create this: > > > > /tftpboot 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check) > > /tftpboot 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check) > /install 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check) > > /install 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check) > > > > (where 192.168.10.0 and 192.168.11.0 are two networks defined in the > network table) > > > > Is that doable? > > > > Thanks! > > _______________________________________________________________________ > Kevin Keane | Systems Architect | University of San Diego ITS | > kke...@sandiego.edu > Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | > 619.260.6859 > > *REMEMBER! **No one from IT at USD will ever ask to confirm or supply > your password*. > These messages are an attempt to steal your username and password. Please > do not reply to, click the links within, or open the attachments of these > messages. Delete them! > > > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > > > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user >
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user