Re: NFS server OpenBSD 3.5
From: DoN. Nichols (dnichols_at_d-and-d.com)
Date: 06/24/05
- Previous message: Christopher A. Kantarjiev: "Re: newisys opteron support?"
- In reply to: dfj: "NFS server OpenBSD 3.5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 24 Jun 2005 14:53:15 -0400
In article <1119620142.267488.240410@g14g2000cwa.googlegroups.com>,
dfj <dj@swicked.net> wrote:
>Hi,
>I've installed OpenBSD (3.5-GENERIC) on a machine, and i want to use it
>as an NFS server so i created a directory called /exports that i would
>like to use as the NFS "share" /exports is a mount point for wd0d which
>is about 30Gb and is mounted at boot time. My NFS clients are running
>slackware 10.1 and have the appropriate entries in their /etc/fstab to
>mount from the OpenBSD server. Each client can mount the share with no
>problems, but even though the output of `mount` on the slack machines
>shows that the NFS is mounted rw, i am not able to create files or
>directories, nor am i able to edit files. it's as if the NFS is
>actually mounted ro.
Are you trying to access them as root on the mounting systems?
Note that NFS treats root as special, giving only read access unless
more is explicitly stated in the export lines. (This based on
experience both with old SunOs 4.1.x (BSD based) and with Sun's Solaris
(SysV based).
> my /etc/exports file on the OpenBSD box is only
>this line:
>
> /exports -alldirs -network 192.168.0.0 -mask 255.255.255.0
Here is a line from an old SunOS 4.1.4 system; with the system
names changed:
/usr/IMAGES -access=all_nfs_unix:pcs,root=system1:system2:system3:system4:...
Here -- "all_nfs_unix" and "pcs" are defined in /etc/netgroups.
I see that OpenBSD does have the concept. See:
======================================================================
netgroup (5) - defines network groups
netgroup_mkdb (8) - generate the netgroup databases
======================================================================
Anyway -- note that there is a "root=<list-of-system-names>"
entry needed for root to be able to have r/w access to the file systems.
Normal users can access it without that, but the requirement for an
explicit "root=" allows the default to be that someone who is root on
one of the client systems can't create SUID files on the server.
Note that the OpenBSD man page for exports shows a somewhat
different approach:
======================================================================
-maproot=user The credential of the specified user is used for remote ac-
cess by root. The credential includes all the groups to which the user
is a member on the local machine (see id(1)). The user may be specified
by name or number.
-maproot=user:group1:group2:... The colon separated list is used to
specify the precise credential to be used for remote access by root. The
elements of the list may be either names or numbers. Note that user:
should be used to distinguish a credential containing no groups from a
complete credential for that user.
The option -r is a synonym for -maproot in an effort to be backward com-
patible with older export file formats.
In the absence of -maproot and -mapall options, remote accesses by root
will result in using a credential of -2:-2. All other users will be
mapped to their remote credential. If a -maproot option is given, remote
access by root will be mapped to that credential instead of -2:-2. If a
-mapall option is given, all users (including root) will be mapped to
that credential in place of their own.
======================================================================
>i have even tried adding `-rw` to the /etc/exports even though the
>exports man page states that read-write is the default. I think i
>should add `-mapall=<someuser>` but i'm not exactly sure if this is my
>solution. the permissions on the /exports directory on the OBSD box is
>0755 root/wheel, so my thinking is to create a group called something
>like nfs, add my normal user account on the OpenBSD box to that group
>and add the entry `-mapall=<useraccount>` to the /etc/exports file.
This will eliminate private ownership of files on the NFS
partitions (probably not a good idea if you plan to NFS serve home
directories).
And it looks as though it will not map root ownership to root
(unless perhaps the maproot will do the job), so nobody could access the
files.
I would suggest that you change the ownership of that partition
to something like a username "exports" or "nfs" (making sure that the
account is created with blocked logins). Possibly owner "nfs" and group
"nfs" -- or whatever name you want. Then you could maproot to nfs:nfs
to allow root to do most things needed to that filesystem -- *if* you
want to allow that.
I would suggest that you mount that filesystem on the server as
"nosuid" just as protection against someone using it as an attack
vector. (And set up your netgroups to limit which systems can mount the
filesystem -- unless it is on a truly secure internal net with no
routing to the outside world. -- and even then, an explicit list of who
is allowed to mount will be a better way to do this.)
>could someone please advise if this is an ideal method for setting up
>an NFS server. Thanks in advance.
Note that I have not used an OpenBSD system as a server. A
friend who does use one has encountered bandwidth problems when serving
to certain systems, which appears to be sensitive to the MTU value for
the ethernet cards in question. I'm not sure whether it has been fixed
in the latest OpenBSD systems, but it was certainly a problem in older
versions.
Good Luck,
DoN.
-- Email: <dnichols@d-and-d.com> | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero ---
- Previous message: Christopher A. Kantarjiev: "Re: newisys opteron support?"
- In reply to: dfj: "NFS server OpenBSD 3.5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
