Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!usc!ucsd!ucsdhub!hp-sdd!hplabs!hpfcso!hpfcmgw!hpfcse!hpuflfa!ronw From: ronw@hpuflfa.HP.COM (Ron Williams) Newsgroups: comp.sys.hp Subject: Re: HP-UX: unacceptable [Was: root-over-nfs under HP-UX 6.5] Message-ID: <140010@hpuflfa.HP.COM> Date: 1 Dec 89 19:54:10 GMT References: <7234@cs.utexas.edu> Organization: Hewlett-Packard, SSR-Ft. Lauderdale Lines: 107 > First scenario. When the HP filesystems are mounted > on the Sequents, root on the sequent has the ability to modify anything > on the NFS mounted filesystem. Root-over-nfs is disabled on the HPs > (uid -2). > > Boyd Merworth > The University of Texas at Austin > Department of Computer Sciences, TAY 2.124, Austin, Texas 78712 > merworth@cs.utexas.edu {harvard,gatech,uunet}!cs.utexas.edu!merworth Below find some INFO to address the UID=-2 for root on HP-UX and a way to change it!!! Please note there are no warranties, guarantees about how long this procedure will continue to work, i.e. HP-UX rev ???? Ron Williams HP Ft. Lauderdale ronw@hpfcse ------------ TEL: T-938-2278 {hpfcse}!hpuflfa!ronw FAX: T-938-2293 COMSYS: 3179 AREA CODE: 305 HPDESK: Ron Williams / HP3179/08 ______________________________________________________________________________ LAN BACKUP HINT: NFS Remote Root Access --------------------------------------- NFS is used by many customers to back up a filesystem over a LAN to another HP9000 system's tape drive. For these backups to be successful, it is usually necessary for a modification to be made to the NFS file server's kernel. This modification circumvents the NFS security feature of allowing "super-user" privileges to the local filesystem(s) to ONLY the local root account. A standard kernel on a file server will map all remote root accesses over an NFS mount (ie. a NFS client's root session accessing one of the NFS server's filesystems ) from the user-id 0 (super-user) to the user-id (UID) of -2 (nobody). A remote client's NFS backup program, executed as root, will not be able to read all the files on the server, due to the UID being mapped to -2 (nobody). In fact, no account on the remote client is likely to have the permissions to read every file on the server's filesystem (especially, the "/" filesystem). To allow a remote client to read all the files on a server and back them up, the mapping of the UID 0 to the UID -2 must be "turned off" on the NFS file server. CAVEAT: A NFS file server running a modified kernel allowing remote root access is a possible security risk. PCs on the network running PC-NFS use the UID 0 (since there is not an accounting concept on PCs) and if mapping to the UID -2 (nobody) is disabled, then PCs can effectively access the NFS file server's filesystems as super-user. NOTE: The only kernels that need to be modified are the NFS file servers, since they are the nodes that control the mapping of UID 0 over NFS mounts. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - DISABLING THE MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will disabled the mapping of UID 0 to UID -2. This will allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: -2 nobody?W0 * _nobody: -2 = 0 * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - RE-ENABLING MAPPING TO NOBODY (UID -2) The following executed on a NFS file server will enabled the mapping of UID 0 to UID -2. This will NOT allow NFS backups from a client to read the server's filesystems. [ must be logged on as root ] # adb -w /hp-ux * executable file = /hp-ux ready nobody?D * _nobody: 0 nobody?W-2 * _nobody: 0xFFFFFFFE = 0xFFFFFFFE * reboot the server NOTE: lines proceeded by an asterisk (*) are lines typed in by the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Backing up disks over the LAN, whether using NFS or other methods, is not currently supported by HP. Though, there are many customers that are successful at doing this operation. The functionality of the kernel modification mentioned in this article is supported by HP.