Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!hplabs!hp-ses!hpcuhb!hpindda!human From: human@hpindda.HP.COM (Aaron Schuman) Newsgroups: comp.sys.hp Subject: Re: Re^2: Root permission on NFS Message-ID: <4310100@hpindda.HP.COM> Date: 20 Feb 90 19:18:04 GMT References: <377@node17.mecazh.UUCP> Organization: 1+408-447-3158 Lines: 42 Paul Breslaw> Now I don't want to know which cluster server exports Paul Breslaw> which file systems in order to perform some administrative Paul Breslaw> task. I simply want to do it from whichever machine I Paul Breslaw> happen to be logged in on (as root). Paul Breslaw> We do not have "any root user on any client", our diskless Paul Breslaw> users are not super users. So what should I do? The mapping of root to nobody is, of course, intended to prevent the wild propagation of root privilege across an NFS network. You seem very confident about the control of root privilege on your diskless clients. That's very good. Every system owner should be in exactly the same position. Ordinary users do not need root privilege to run their applications. But what about other systems that may connect to your server? NFS isn't used exclusively among systems in the same cluster. Can systems from outside your cluster mount your server's file systems? Have you read your /etc/exports file lately? Are there any entries in /etc/exports with only one argument? Remember that a line in /etc/exports that names a file system but doesn't list hosts or netgroups to which that file system can be exported, is offering that file system for export to every computer in the world. How's your /usr/adm/inetd.sec file set up? Do you have controls on what addresses the inet daemon will allow to access the mountd service? If you are certain that you know everybody who knows the root password on your cluster (and everybody who knows other ways of becoming root), and if you are certain that your file systems can't be exported outside of machines to which root is controlled, then the NFS mapping of root to nobody is redundant. What should you do? As an HP employee, I advise you to indulge in redundant protection, even if it costs you some functionality. As just some guy on the net, I can say that if I were in your position, I would remove the mapping of root to nobody. Ultimately, it's your responsibility. If some dishonest former employee or teenaged hacker were to break into your system and inflict damage, could you say that you had done your best?