Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uunet!bischeops!nick
From: nick@bischeops.UUCP (Nick Bender)
Newsgroups: comp.sys.hp
Subject: Re: root over NFS (again)
Summary: the real solution
Message-ID: <395@bischeops.UUCP>
Date: 11 Apr 90 19:44:42 GMT
References: <3008@umbc3.UMBC.EDU> <5178@helios.ee.lbl.gov> <PS.90Apr2132224@sparrow.tut.fi>
Lines: 65

In article <PS.90Apr2132224@sparrow.tut.fi>, ps@tut.fi (Pertti Suomela) writes:
> In article <5178@helios.ee.lbl.gov> milburn@me10.lbl.gov (John Milburn) writes:
> > In article <3008@umbc3.UMBC.EDU> greg@umbc3.umbc.edu (Greg Sylvain,Lib 007,3929,4376834) writes:
> > >
> > >	Does anyone out there have a patch for nfs that allows root to "be" 
> > >root over an nfs mount.
> 
> [ kernel patch rm'ed ]
> 
> > The problem is that now root on any machine can access all the files on the
> > machine that uses this kernal. Of course this b*ggers up security no end.
> 
> Meaning the each and every PC (with NFS) in the net has root access to
> your file system. Not a nice idea to me.


Yeah, yeah. Bla bla bla. The real solution is in the latest rev of NFS
(available on your nearest Sun, NeXT, or other up-to-date platform).
To quote "man 5 exports":


     An entry for a directory consists of a line of the following
     form:

          directory   -option[,option ]...

     directory      is the pathname of a directory (or file).

     option         is one of
     ...
                    anon=uid
                         If a request comes from an unknown user,
                         use  uid as the effective user ID. Note:
                         root users (uid 0) are always considered
                         unknown  by  the NFS server, unless they
                         are included in the root  option  below.
                         The default value for this option is -2.
                         Setting anon to  -1  disables  anonymous
                         access. Note: by default secure NFS will
                         accept insecure requests  as  anonymous,
                         and those wishing for extra security can
                         disable this feature by setting anon  to
                         -1.

                    root=hostnames[:hostname]...
                         Give root access only to the root  users
                         from  a specified hostname.  The default
                         is for  no  hosts  to  be  granted  root
                         access.
   ...
   EXAMPLE
     /usr      -access=clients     # export to my clients
     /usr/local                    # export to the world
     /usr2     -access=hermes:zip:tutorial# export to only these machines
     /usr/sun  -root=hermes:zip    # give root access only to these
     /usr/new  -anon=0             # give all machines root access
   ...

   Sun Release 4.0    Last change: 22 March 1989                   2
		      ^^^^^^^^^^^^^^^^^^^^^^^^^^

Looks like this stuff has been around for awhile...
So how bout it HP? New nfs anytime soon? HPUX 9.0?

Nick Bender				nick%bischeops@uunet.uu.net