Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!apple!agate!shelby!unix!hplabs!hpcc05!hpwrce!frank
From: frank@hpwrce.HP.COM (Frank Stutzman)
Newsgroups: comp.sys.hp
Subject: Re: HP9000s425t How can I modify NFS kernel
Message-ID: <7870025@hpwrce.HP.COM>
Date: 5 Dec 90 19:53:25 GMT
References: <1990Dec4.185735.9667@polyof.poly.edu>
Organization: Ye Olde Salt Mines
Lines: 110

>65534, not as root.  Friend of mind told me that this is
>a feature of NFS, unix kernel will set clients root (ID=0)
>ID to (ID=-2).  Is there way to modify HP unix kernel?
>So, root on client can create and modify directory as root.

Your friend is correct.  This behavior is a feature of NFS.

Below I have included a cookbook method on how to change this root mapping
to accomplish what you want.  I just hope you understand the ramifications
of what you are doing.  You are opening up security perhaps to a dangerous
level (you will have to look at your particular environment to define exactly
what "dangerous" means).  You are probably aware that your are opening up 
your system to allow changes to be made on your system by other root users,
but are you aware that you will also allowing users of PCs running PC-NFS
to do the same thing?  

Ok, enough of the big-boy warnings...



 NFS  is  used  by  many customers to back up  a filesystem over a LAN to
 another  HP9000 system's tape drive. For these backups to be successful,
 it  is  usually necessary for a modification to  be made to the NFS file
 server's kernel.  This modification circumvents the NFS security feature
 of  allowing "super-user" privileges to  the local filesystem(s) to ONLY
 the local root account.  A standard kernel on a file server will map all
 remote  root accesses over an NFS mount (ie. a NFS client's root session
 accessing  one  of  the  NFS  server's filesystems )  from the user-id 0
 (super-user) to the user-id (UID) of -2 (nobody).  A remote client's NFS
 backup program, executed as root, will not be able to read all the files
 on  the server, due to the UID being  mapped to -2 (nobody). In fact, no
 account  on the remote client is likely  to have the permissions to read
 every  file on the server's filesystem (especially, the "/" filesystem).
 To allow a remote client to read all the files on a server and back them
 up,  the mapping of the UID 0 to the  UID -2 must be "turned off" on the
 NFS file server.

 CAVEAT:  A  NFS  file  server running a  modified kernel allowing remote
 root  access  is  a possible security risk.   PCs on the network running
 PC-NFS  use the UID 0 (since there  is not an accounting concept on PCs)
 and  if  mapping  to  the  UID  -2  (nobody)  is disabled,  then PCs can
 effectively access the NFS file server's filesystems as super-user.

 NOTE:  The  only  kernels  that  need  to  be modified are  the NFS file
 servers, since they are the nodes that control the mapping of UID 0 over
 NFS mounts.


 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

     DISABLING THE MAPPING TO NOBODY (UID -2)

     The following executed on a NFS file server will disabled the
     mapping of UID 0 to UID -2. This will allow NFS backups from a
     client to read the server's filesystems.

      [ must be logged on as root ]

         # adb -w /hp-ux                                 *
           executable file = /hp-ux
           ready
           nobody?D                                      *
           _nobody:        -2
           nobody?W0                                     *
           _nobody:        -2  = 0
           <CTRL-D>                                      *

           reboot the server

         NOTE: lines proceeded by an asterisk (*) are lines typed in
               by the user.

     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

     RE-ENABLING MAPPING TO NOBODY (UID -2)

     The following executed on a NFS file server will enabled the
     mapping of UID 0 to UID -2. This will NOT allow NFS backups from a
     client to read the server's filesystems.

      [ must be logged on as root ]

         # adb -w /hp-ux                                 *
           executable file = /hp-ux
           ready
           nobody?D                                      *
           _nobody:        0
           nobody?W-2                                    *
           _nobody:        0xFFFFFFFE  =  0xFFFFFFFE
           <CTRL-D>                                      *

           reboot the server

         NOTE: lines proceeded by an asterisk (*) are lines typed in
               by the user.

    - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - - - - - -

 Backing  up  disks over the LAN using NFS is not currently supported by
 HP. Though, there are many customers that are successful  at  doing 
 this  operation. The functionality  of the kernel modification  mentioned 
 in this article is supported by HP.  


|=============================================================================|
|Frank Stutzman                            | "What is wanted is not the will  |
|Hewlett-Packard Western Response Center   |  to believe, but the will to     |
|Mtn. View, Ca                             |  find out, which is the exact    |
|frank@hpwrc.hp.com                        |  opposite." -Bertrand Russell    |
|=============================================================================|