--------------------------------------------------
Yuan Bai (白媛)
CSTL HPC System Management Development
Tel:86-10-82451401
E-mail: by...@cn.ibm.com
Address: IBM ZGC Campus. Ring Building 28,
ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road, Haidian District,
Beijing P.R.China 100193
IBM环宇大厦
北京市海淀区东北旺西路8号,中关村软件园28号楼
邮编:100193
----- Original message -----
From: Kevin Keane <kke...@sandiego.edu>
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Cc:
Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares?
Date: Fri, Nov 30, 2018 1:58 AM
Yes, I was also concerned about security.These nfs directories might only be *used* in those two scenarios, but their existence also affects stateless and stateful nodes. An attacker can simply mount those two directories to any machine on campus, install xCAT, and then manipulate the images to her heart's content, such as inject bitcoin miners. She can then also run genimage/packimage and make the images available to PXE boot.It might help to change the shares from rw to ro, but that might break statelite nodes?_______________________________________________________________________Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!
On Thu, Nov 29, 2018 at 1:38 AM Song BJ Yang <yang...@cn.ibm.com> wrote:the 2 shared nfs entries will be added on xCAT installation or upgrading or `xcatconfig -i/-f`these 2 nfs shared directories are only used in 2 scenarios:1) NFS based statelite2) hierarchy cluster when site.sharedtftp and site.sharedinstallany missing scenario?We got some complains on this to be a security issue, we are considering not to export these 2 directories by default, provide some command or step to export them only needed in any of scenarios above, any comment or suggestion?thanks------------------------------------------------------------------------------
YANG Song (杨嵩)
IBM China System Technology Laboratory
Tel: 86-10-82452903
Email: yang...@cn.ibm.com
Address: Building 28, ZhongGuanCun Software Park,
No.8, Dong Bei Wang West Road, Haidian District Beijing 100193, PRC
北京市海淀区东北旺西路8号中关村软件园28号楼
邮编: 100193----- Original message -----
From: Kevin Keane <kke...@sandiego.edu>
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Cc:
Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares?
Date: Thu, Nov 29, 2018 7:17 AM
Yes, you appear to be correct. I just, for testing, uninstalled all of xCAT. Then I manually removed the entries, and re-installed the xCAT RPMs. Lo and behold - it did in fact re-create the entries (but did not remove them when uninstalling xCAT).Thanks for the help!_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!
On Wed, Nov 28, 2018 at 2:51 PM Christian Caruthers <ccaruth...@lenovo.com> wrote:_______________________________________________I believe that is created when xCAT is installed. Not sure which RPM does it, though. Possible the main xCAT or xCAT-server package. I don’t see the file in any of the packages, so I’m guessing it’s created by a script.
Regards,
Christian Caruthers
Lenovo Professional Services
Mobile: 757-289-9872
From: Kevin Keane <kke...@sandiego.edu>
Sent: Wednesday, November 28, 2018 17:26
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares?
My question is actually, how does the /etc/exports get generated, and how do I get xCAT to generate the exports file without the world-writable permissions?
Thanks,
_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!
On Wed, Nov 28, 2018 at 1:50 PM Christian Caruthers <ccaruth...@lenovo.com> wrote:
So long as the shares are available to your provisioning network, it should not break anything.
Regards,
Christian Caruthers
Lenovo Professional Services
Mobile: 757-289-9872
From: Kevin Keane <kke...@sandiego.edu>
Sent: Wednesday, November 28, 2018 16:37
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: [External] [xcat-user] How to restrict xCAT's NFS shares?
I noticed that xCAT shares /tftpboot and /install as world-writeable. Is there a way to restrict these NFS shares to only the networks within the cluster, without making them globally available?
Specifically, xCAT creates this /etc/exports file:
/tftpboot *(rw,no_root_squash,sync,no_subtree_check)
/install *(rw,no_root_squash,sync,no_subtree_check)
I would like it to instead create this:
/tftpboot 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check)
/tftpboot 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check)
/install 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check)/install 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check)
(where 192.168.10.0 and 192.168.11.0 are two networks defined in the network table)
Is that doable?
Thanks!
_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
