Manuals / Brands / Computer Equipment / Network Router / IBM / Computer Equipment / Network Router

IBM AS/400E Chapter 9. Network File System Security Considerations

1 135

Download 135 pages, 1.47 Mb

Chapter 9. Network File System Security Considerations

Youcan use the Network File System to create a seamless, transparent namespace

where all users have access to the right information at any given time. However,

NFS also has special security considerations. These considerations deal mainly

with user, group, and supplemental user identiﬁcations. This chapter discusses

these concerns along with certain parameters and options of the CHGNFSEXP

command.

This section describes a number of NFS security issues while explaining how to

best avoid security problems and breaches while maintaining a secure namespace.

For more information about OS/400 security, see:

v

Security - Basic,

SC41-4301

v

Security Reference,

SC41-4302

The Trusted Community

The trusted community is made up of only the “approved” NFS servers and clients

that represent a trusted network of users. Inside this group, users export and mount

ﬁle systems based on a system of individual responsibility to keep the namespace

secure from outside, non-trusted users.

The other deﬁning feature of a trusted community is that no special data encryption

of any sort occurs in client/server relationships. The transmissions between the NFS

clients and servers are not encoded. Only the applications running on the client will

minimally encrypt and send data between client and server. This is why it is

important to pay attention to how you export ﬁles from an NFS server. If the client

and server transmissions are not encrypted, and you export to “the world,” then

anybody can access your exported ﬁle systems. For more information on exporting

securely, see “Securely Exporting File Systems”on page 87.

For a detailed discussion of export options, see “Export Options” on page88.

© Copyright IBM Corp. 1997, 1999 81

Contents

Main Page Page Page Contents iv Page Page Figures Page Page Page About OS/400 Network File System Support (SC41-5714) Who should read this book AS/400 Operations Navigator Installing Operations Navigator Client Access Express for Windows - Setup xii SK3T-2027 Prerequisite and related information How to send your comments Page Summary of Changes Page Chapter 1. What is the Network File System? Introduction OS/400 Network File System Support accessible 2 locally downstream cover up remote A Brief History The Network File System as a File System Stateless Network Protocol Overview of the TULAB Scenario 4 Page Page Chapter 2. The Network File System Client/Server Model and Network File System Client/Server Communication Design Network File System Process Layout Network File System Stack Description 8 single-threaded AS/400 as a Network File System Server Network File System Server-Side Daemons RPC Binder Daemon (RPCD) NFS Server Daemons (NFSD) Mount Daemon (MNTD) 10 Network Status Monitor Daemon (NSMD) AS/400 as a Network File System Client Network File System Client-Side Daemons Block I/O Daemon (BIOD) NFS Client-Side Caches 12 Directory and File Attribute Cache Data Cache locality Client Timeout 14 Chapter 3. NFS and the User-Dened File System (UDFS) User File System Management Create a User-Dened File System CRTUDFS Display 16 Display a User-Dened File System DSPUDFS Display Delete a User-Dened File System 18 DLTUDFS Display Mount a User-Dened File System ADDMFS/MOUNT Display Unmount a User-Dened File System RMVMFS/UNMOUNT Display 20 Saving and Restoring a User-Dened File System Graphical User Interface User-Dened File System Functions in the Network File System 22 Using User-Dened File Systems with Auxiliary Storage Pools Recovery with the Network File System 24 Chapter 4. Server Exporting of File Systems What is Exporting? Why Should I Export? TULAB Scenario 26 What File Systems Can I Export? How Do I Export File Systems? Rules for Exporting File Systems 28 Page upstream downstream unexports exports CHGNFSEXP (Change Network File System Export) Command 30 CHGNFSEXP/EXPORTFS Display after 32 Exporting from Operations Navigator Page Path Code Page Data Code Page Finding out what is exported Operations Navigator 36 Retrieve Network File System Export Entries (QZNFRTVE) API System API Reference, UNIX showmount command Exporting Considerations Mounted File System Loops path names objects same Chapter 5. Client Mounting of File Systems What Is Mounting? 40 Why Should I Mount File Systems? What File Systems Can I Mount? OS/400 NetWare Integration Support 42 Where Can I Mount File Systems? Page always 44 Mount Points mounted to mounted from How Do I Mount File Systems? ADDMFS (Add Mounted File System) Command ADDMFS/MOUNT Display 46 Graphical User Interface RMVMFS (Remove Mounted File System) Command 48 RMVMFS/UNMOUNT Display /tools DSPMFSINF (Display Mounted File System Information) Command DSPMFSINF/STATFSDisplay 50 Page This rst display shows basic information about a mounted le system. 52 Figure 45. Display Mounted FS Information (DSPMFSINF) output (1/2) Figure 46. Display Mounted FS Information (DSPMFSINF) output (2/2) Page Page Chapter 6. Using the Network File System with AS/400 File Systems RootFile System (/) Page Read/Write Options Library File System (QSYS.LIB) Exporting and QSYS.LIB QPWFSERVER Authorization List Mounting and QSYS.LIB Support for User Spaces File Modes of Database Members Path Names of .FILE Objects Byte-Range Locks Case-Sensitivity Document Library Services File System (QDLS) Mounting and QDLS File Creation Path Name Length Anonymous Users Optical File System (QOPT) Mounting and QOPT Case-Sensitivity Security and Authorization Optical Support, User-Dened File System (UDFS) 62 Page Page Chapter 7. NFS Startup, Shutdown, and Recovery Conguring TCP/IP Implications of Improper Startup and Shutdown and Proper Startup Scenario 66 STRNFSSVR (Start Network File System Server) Command Displaying NFS Server Daemons Status Consideration 68 STRNFSSVR Display Proper Shutdown Scenario Shutdown Consideration 70 TCP/UDP Timeout Conict ENDNFSSVR (End Network File System Server) Command Displaying NFS Client Daemons ENDNFSSVR Display Starting or stopping NFS from Operations Navigator 72 Server General Locks and Recovery Why Should I Lock a File? How Do I Lock A File? Stateless System Versus Stateful Operation 74 RLSIFSLCK (Release Integrated File System Locks) Command fcntl System API Reference, RLSIFSLCK Display 76 Chapter 8. Integrated File System APIs and the Network File System Error Conditions ESTALE Error Condition EACCES Error Condition API Considerations Client Timeout Solution 78 open(), create(), and mkdir() APIs fcntl() API Unchanged APIs Page Chapter 9. Network File System Security Considerations Security - Basic, Security Reference, The Trusted Community Network Data Encryption 82 User Authorities User Identications (UIDs) nth add Group Identications (GIDs) Mapping User Identications only matching no matter Potential User Identication Mapping Scenarios UID Mapping Examples is become Proper UID Mapping 86 Securely Exporting File Systems very cautiously Export Options insecurely 88 Anonymous Users Exporting to The World Root User Mappings Page Appendix A. Summary of Common Commands Table1. CL Commands Used in Network File System Applications Page Appendix B. Understanding the /etc Files Editing les within the /etc directory Editing stream les by using the Edit File (EDTF) command Absolute Path Name Relative Path Name Editing stream les by using a PC based editor Editing stream les by using a UNIX editor via NFS /etc/exports File Formatting Entries in the /etc/exports File 94 Formatting the HOSTOPT (Host Options) Parameter Additional Format Rules for the HOSTOPT (Host Options) Parameter Examples of Formatting /etc/exports with HOSTOPT Parameter /etc/netgroup File 96 /etc/rpcbtab File /etc/statd File Page Notices 100 Programming Interface Information Trademarks Page Bibliography OS/400 Network File System Support Work Management System API Reference Security Reference Page Index Special Characters A B C D 106 E F G K 108 M N Page P Q 110 R S T U 112 Readers Comments Wed Like to Hear from You Readers Comments Wed Like to Hear from You IBMR ___________________________________________________________________________________________________ SC41-5714-01 BUSINESS REPLY MAIL