|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
NFS is a widely-used file sharing protocol. It allows servers running nfsd and mountd to "export" entire file systems to other machines using NFS filesystem support built in to their kernels (or some other client support if they are not Linux machines). mountd keeps track of mounted file systems in /etc/mtab, and can display them with showmount.
Corporations often prohibit NFS within DMZ. That made sense for NFS v 2, not not so much for NFS v.3 and, especially, v.4.
The key here is to understand that NFS (v. 3 and, especially, 4, but not v.2) is more secure that FTP and more that other RPC-based protocols such as rsync. It contains formidable set of secure settings (as mounting setting) that are vastly superior to those that are available in best FTP daemons.
For example NFS is perfect for making backups. The key here is that backup files are not executable and partition can be mounted with attributes soft, noacl, noexec, nosuid.
Many sites use NFS to serve home directories to users, so that no matter what machine they login to, they will have all their home files. If done with nosuid attribute there is no obvious degradation of security by exporting home directories (Solaris-style export).
You can also make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (with the same uid) files, the remote root user can login or su to their account and have total access to their files.
|
|
If you must use NFS, make sure you export to only those machines that you really need to. Never export your entire root directory; export only directories you need to export.
NFSv4 is can be additionally secured via Kerberos. There are multiple implementations, but the dominant is "MIT Kerberos".The NFSv4 also introduces a new ACL (Access Control List) format that introduces more detailed file security attributes, making NFSv4 controlled files more secure. Several operating systems like AIX 5.3 and Sun Solaris (ZFS only) have implemented NFSv4 ACL in their filesystems. There have pretty Christmas tree style set of permissions (which violates classic rule of seven, see the list below). It is overly complex for normal system administrator (who usually have problems even with simplistic in comparison classic Unix permissions model: few people understand SUID/SGID attributes and the fact that that the ability to write to the directory permits deleting files in it). As such it the net effect can be not so much enhanced security, but the ability to create a security holes that are difficult to detect. Lets look more closely at those new granular permissions:
Solaris has better, more stable NFSv4 implementation then Linux. It fully implement NFSv4 ACLs. See NFSv4 ACLS: Where are we going? IBM AIX implementation is also very good.
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
Jun 02, 2009 | IBM DeveloperWorks
Filesystems using NFS4 ACL
The NFSv4 (Network File System – Version 4) protocol introduces a new ACL (Access Control List) format that extends other existing ACL formats. NFSv4 ACL is easy to work with and introduces more detailed file security attributes, making NFSv4 ACLs more secure. Several operating systems like IBM® AIX®, Sun Solaris, and Linux® have implemented NFSv4 ACL in their filesystems.
Currently, the filesystems that support NFSv4 ACL in IBM AIX 5L version 5.3 and above are NFSv4, JFS2 with EAv2 (Extended Journaled Filesystem with Extended Attributes format version 2), and General Parallel Filesystem (GPFS). In Sun Solaris, this ACL model is supported by ZFS. In RedHat Linux, NFSv4 supports NFSv4 ACLs.
An Access Control List (ACL) is used to specify access permissions to filesystem objects, like files and directories. Is a list of many Access Control Entries (ACEs), in which each entry defines a user or a group, and different permissions to each of them.
ZFS file system, introduced by Sun, is available in the Solaris 10 OS pack.
ZFS supports the NFSv4 ACL model, and has implemented the commands in the form of new options to the existing ls and chmod commands. Thus, the ACLs can be set and displayed using the chmod and ls commands; no new command has been introduced. Because of this, it is very easy to work with ACLs in ZFS.
ZFS ACLs follow a well-defined format. The format and the entities involved in this format are:
Syntax A
ACL_entry_type:Access_permissions/…/[:Inheritance_flags]:deny or allow
ACL_entry_type includes "owner@", "group@", or "everyone@".
For example:
ACL_entry_type: ACL_entry_ID:Access_permissions/…/[:Inheritance_flags]:deny or allow
ACL_entry_type includes "user", or "group".
ACL_entry_ID includes "user_name", or "group_name".
For example:
Listing ACLs of ZFS files and directories
ACLs can be listed using the ls command using the -v and -V options. For listing directory ACLs, use the -d option.
Operation Command Listing ACL entries of files ls –[v | V] <file_name> Listing ACL entries of dirs ls –d[v | V] <dir_name>
Example for listing ACLs of a file
ls -v file.1 -rw-r--r-- 1 root root 2703 Nov 4 12:37 file.1 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allowExample for listing ACLs of a directory
# ls -dv dir.1 drwxr-xr-x 2 root root 2 Nov 1 14:51 dir.1 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory/ append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow 2:group@:add_file/write_data/add_subdirectory/append_data:deny 3:group@:list_directory/read_data/execute:allow 4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr / write_attributes/write_acl/write_owner:deny 5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes / read_acl/synchronize:allowExample for listing ACLs in a compact format
In above examples, ACLs are displayed in a compact format. In this, access permissions and inheritance flags are displayed using masks. One ACL entry is displayed in each line, making the view easier to understand.
Modifying ACLs of ZFS files and directories
ACLs can be set or modified using the chmod command. The chmod command uses the ACL-specification, which includes the ACL-format (Syntax A or B), listed earlier.
Operation Command Adding an ACL entry by index-ID # chmod Aindex_ID+acl_specification filename Adding an ACL entry for a user # chmod A+acl_specification filename Removing an ACL entry by index_ID # chmod Aindex_ID- filename Removing an ACL entry by user # chmod A-acl_specification filename Removing an ACL from a file # chmod A- filename Replacing an ACL entry at index_ID # chmod Aindex_ID=acl_specification filename Replacing an ACL of a file # chmod A=acl_specification filename Examples of ZFS ACLs modifications
List ACL entries
# ls –v a -rw-r--r-- 1 root root 0 Sep 1 04:25 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
# chmod A+user:samy:read_data:allow a # ls -v a -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow # chmod A1+user:samy:execute:deny a # ls -v a -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data:allow 1:user:samy:execute:deny 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
# chmod A0=user:samy:read_data/write_data:allow a # ls -v total 2 -rw-r--r--+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data/write_data:allow 1:user:samy:execute:deny 2:owner@:execute:deny 3:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 4:group@:write_data/append_data/execute:deny 5:group@:read_data:allow 6:everyone@:write_data/append_data/write_xattr/execute/write_attributes/ write_acl/write_owner:deny 7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow # chmod A=user:samy:read_data/write_data/append_data:allow a # ls -v a ----------+ 1 root root 0 Sep 1 02:01 a 0:user:samy:read_data/write_data/append_data:allow
ACLs can also be modified using the masks instead of specifying complete names.
Modifying ACL entries using masks
# ls -v a -rw-r-----+ 1 root root 0 Sep 5 01:50 a 0:user:samy:read_data/write_data/execute:allow 1:owner@:execute:deny 2:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 3:group@:write_data/append_data/execute:deny 4:group@:read_data:allow 5:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny 6:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow # chmod A- a # ls -v a -rw-r----- 1 root root 0 Sep 5 01:50 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny 5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow # chmod A5- a # ls -v a -rw-r----- 1 root root 0 Sep 5 01:50 a 0:owner@:execute:deny 1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/ write_acl/write_owner:allow 2:group@:write_data/append_data/execute:deny 3:group@:read_data:allow 4:everyone@:read_data/write_data/append_data/write_xattr/execute/ write_attributes/write_acl/write_owner:deny
The Enhanced Journaled File System (JFS2) is built into the base AIX operating system. To have the NFSv4 ALC support on JFS2 filesystem, you need to enable "Extended Attribute Format - Version 2" at the time of creating the filesystem. This feature cannot be enabled or disabled once the filesystem is created.
In subsequent references to JFS2, this article assumes that "Extended Attribute Format - Version 2" is enabled.
The format and the entities involved in this format are:
Syntax
IDENTITY ACE_TYPE ACE_MASK INHERITANCE_AND_AUDIT_ATTRS Where: IDENTITY has format: 'IDENTITY_type:IDENTITY_name(IDENTITY_who):' Where: IDENTITY_type is one of the following: u : user g : group s : special who string (IDENTITY_who must be a special who) IDENTITY_name => user/group name IDENTITY_who => who string ACE_TYPE is one of the following ACE Type: a : allow d : deny l : alarm u : audit
INHERITANCE_AND_AUDIT_ATTRS (Optional) is one or more of the following: fi : FILE_INHERIT di : DIRECTORY_INHERIT oi : INHERIT_ONLY ni : NO_PROPAGATE_INHERIT sf : SUCCESSFUL_ACCESS_ACE_FLAG ff : FAILED_ACCESS_ACE_FLAG
Listing ACLs of JFS2 files and directories
JFS provides the following commands related to ACLs.
Operation Command Display ACLs of a file aclget <filename> Set ACLs of a file aclput [-i infile] [-t acl_type] [-v] <filename> Edit ACLs of a file acledit [-t acl_type] <filename> Converts ACLs of a file from one type to another aclconvert [ -R ] -t <acltype> <filename> Gets ACL types supported by a file system path aclgettypes <filename> In JFS2 partition, AIX Classic (AIXC) ACLs are enabled by default, and not NFS4 ACLs. You need to convert the AIXC ACLs to NFS4.
The following command lists the ACLs of a new file in JFS2 partition:
Display ACLs
# aclget file1 * * ACL_type AIXC * attributes: base permissions owner(root): rw- group(system): r-- others: r-- extended permissions disabled
In this example,
AIXCshows that these are the AIX classic ACLs.To convert to any other type, you need to know what ACL types are supported by this filesystem.
Display supported ACL types:
# aclgettypes file1 Supported ACL types are: AIXC NFS4
Now, you can convert the AIXC ACLs to NFS4 as follows:
Convert ACLs from AIX classic form to NFSv4 form
Modifying ACLs of JFS2 files and directories
To modify the ACLs, you can use either the aclput or acledit command. The best way to set the ACLs is first to get the ACLs of a file using the aclget command, and save it in a file. Then, modify the ACLs in that file, and store them using
aclput –i <input_acl_file>.The acledit command uses an editor to display and modify the ALCs. You need to set the environment variable EDITOR before you use the acledit command.
To avoid converting the ACLS of new files from AIXC type to NFS4 inside a directory each time, set the appropriate Inheritance flag in that directory.
The previous commands can also be used for NFSv4 filesystem to manage NFSv4 ACLs on AIX
|
|
|
GPFS V3.1 Administration and Programming Reference
SA23-2221-00
NFS V4 access requires that an NFS V4 ACL be returned to clients whenever the ACL is read. This means that if a traditional GPFS ACL is associated with the file, a translation to NFS V4 ACL format must be performed when the ACL is read by an NFS V4 client. Since this translation has to be done, an option (-k nfs4) is provided on the mmgetacl and mmeditacl commands, so that this translation can be seen locally as well.It can also be the case that NFS V4 ACLs have been set for some file system objects (directories and individual files) prior to administrator action to revert back to a POSIX-only configuration. Since the NFS V4 access evaluation will no longer be performed, it is desirable for the mmgetacl command to return an ACL representative of the evaluation that will now occur (translating NFS V4 ACLs into traditional POSIX style). The -k posix option returns the result of this translation.
Users may need to see ACLs in their true form as well as how they are translated for access evaluations. There are four cases:
- By default, the mmgetacl command returns the ACL in a format consistent with the file system setting:
- If posix only, it is shown as a traditional ACL.
- If nfs4 only, it is shown as an NFS V4 ACL.
- If all formats are supported, the ACL is returned in its true form.
- The command mmgetacl -k nfs4 always produces an NFS V4 ACL.
- The command mmgetacl -k posix always produces a traditional ACL.
- The command mmgetacl -k native always shows the ACL in its true form, regardless of the file system setting.
In general, users should continue to use the mmgetacl and mmeditacl commands without the -k flag, allowing the ACL to be presented in a form appropriate for the file system setting. Since the NFS V4 ACLs are more complicated and therefore harder to construct initially, users that want to assign an NFS V4 ACL should use the command mmeditacl -k nfs4 to start with a translation of the current ACL, and then make any necessary modifications to the NFS V4 ACL that is returned.
Parent topic: NFS V4 ACL administration
Related concepts
GPFS exceptions and limitations to NFS V4 ACLsRelated tasks
Setting NFS V4 access control lists Applying an existing NFS V4 access control lists Deleting NFS V4 access control lists
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
