vChange the file permissions for “the world” while still mapped to QNFSANON
Exporting to ″The World″Instead of making exported data accessible to everyone, an administrator can
employ the technique of specifying selective clients. Administrators can use the
ACCESS option of the CHGNFSEXP command to use this technique. This option
will also accept particular UIDs, GIDs, and supplemental GIDs. Using the ACCESS
option limits access to exported files to only the specified clients. The server will
ignore access requests from all other clients. The file /etc/netgroup allows you to
create names for groups of clients. These netgroup names can be used on the
ACCESS option of the CHGNFSEXP command. For more information on the use of
netgroups in exporting, see “How Do I Export File Systems?” on page28 and
“/etc/netgroup File” on page 96.
The only method of limiting access to NFS exports is to use the ACCESS= option
the export command. Even if you add values to or change the RW= and ROOT=
options, the export command will still provide read-only access to “the world.” The
RW= option gives only the listed clients read/write access to the mount. Using the
ROOT= option disallows root access for any hosts that are not listed. Using the
ACCESS= option makes the export accessible to only the clients that are listed.
If users specify no options with the CHGNFSEXP command, the default is to export
file systems to “the world,” allowing all clients access to data. This can cause a
major breach of security because information that may be sensitive will be passed
outside of the NFS namespace trusted community.Administrators should only ever
export data to those who need it.
Root User MappingsLori has a UID of 165 and *ALLOBJ authority on a remote TULAB2. She also has a
UID of 165 on a local XHOST1, a UNIX client. If Chris Admin has correctly exported
the file systems Lori requests access to on which she has *ALLOBJ authority, then
Lori’s requests for access will fail. However, if Lori is on the list of ROOT= clients,
her requests will not fail.
UNIX servers and AS/400 servers map UIDs differently.A UNIX server will treat a
user that comes in with a UID of 0 as a root user. If the client originating the
request is not on the ROOT= list in the export options, the user is mapped to the
anonymous user. TheAS/400’s definition of a root user is broader. If the incoming
UID maps to any user profile with *ALLOBJ authority on the server, that user is
mapped to the anonymous user profile. This is only if the request came from a
client that is not on the ROOT= list. In this example, even though Lori is not the root
user on her UNIX client, she is still be mapped to the anonymous profile on
TULAB2. This is because the profile with UID 165 has *ALLOBJ special authority.
The AS/400 considers her a root user.This ensures greater security for exported
file systems by not allowing remote users to assume this special authority unless
specifically specified on the export request.
Chapter9. Network File System Security Considerations 89
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|