Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!mips!spool.mu.edu!uunet!mcsun!ukc!strath-cs!baird!jim From: jim@cs.strath.ac.uk (Jim Reid) Newsgroups: comp.protocols.nfs Subject: Re: exporting a hierarchy with root access on HP-UX ?? Message-ID: Date: 23 May 91 10:34:23 GMT References: <15098@ccncsu.ColoState.EDU> Sender: jim@cs.strath.ac.uk Organization: Computer Science Dept., Strathclyde Univ., Glasgow, Scotland. Lines: 32 In-reply-to: dzubera@mozart.cs.colostate.edu's message of 22 May 91 19:33:35 GMT In article <15098@ccncsu.ColoState.EDU> dzubera@mozart.cs.colostate.edu (Zube) writes: In order to facilitate moving many many file systems, we would like for root to have write access to any (nfs) mounted partitions. The process for achieving this is easy under Sun-OS, but it is not even mentioned in the HP manuals. We have tried using the same procedure as in Sun-Os (why? the HP-UX manuals mention that their version was written by sun), which entailed adding an option to /etc/exports such as -root=user, but it didn't work. We also tried adding the machines to the hosts.equiv file, but again, no luck. RTFM! HP-UX (like almost everyone else) has an old version of the Sun NFS code. This old version does not support the ability to permit root NFS access on a per-filesystem, per-client basis as in recent versions of SunOS. The limited capabilities of HP-UX's NFS are well documented with man pages and the System Administrator's manual. An old NFS server can be set up to allow everyone to make NFS requests as root, by changing the value of the kernel variable nobody (usually set to -2) to 0. Incoming root NFS requests get mapped to the UID given by nobody before the kernel services the request. Since this is a glaring security hole, such a change should not be done lightly and should only remain for as short a time as absolutely necessary. Copying filesystems around using NFS is a mistake. It is better to use tar or cpio or dump and restore to do this. That way, you also have a physical backup of the filesystem that is being moved. Jim