chnelson1
1 Copper

NFS security issue?

Hello,

I am running OneFS 7.0.2.1 and am noticing something strange with NFS.  This is a clean implementation that is joined to Active Directory and has Kerberos set up and functioning for NFS v4.  I set up an export to use Kerberos 5 Privacy mode (krb5p) which works but I can also mount using auth_sys even though that isn't specified as an option.  The default export was deleted as well.  See below for my screen dumps.

myisilon-3# isi nfs exports list

ID   Paths          Description

-------------------------------

2    /ifs/data/test

-------------------------------

Total: 1

myisilon-3# isi nfs exports view 2

                     ID: 2

                  Paths: /ifs/data/test

            Description:

                Clients: -

           Root Clients: -

      Read Only Clients: -

     Read Write Clients: -

     Unresolved Clients: -

               All Dirs: No

             Block Size: 8.0K

           Can Set Time: Yes

    Commit Asynchronous: No

Directory Transfer Size: 128.0K

               Encoding: DEFAULT

         Map Lookup UID: Yes

              Map Retry: Yes

                Map All

                     User : -

                   Groups : -

               Map Root

                     User : nobody

                   Groups : -

               Map Full: Yes

          Max File Size: 8192.00000P

              Read Only: No

            Readdirplus: Yes

   Readdirplus Prefetch: 10

  Return 32Bit File Ids: No

Read Transfer Max Size: 1.00M

Read Transfer Multiple: 512

     Read Transfer Size: 128.0K

          Security Type: krb5p

   Setattr Asynchronous: No

               Symlinks: Yes

             Time Delta: 1e-09

  Write Datasync Action: datasync

   Write Datasync Reply: datasync

  Write Filesync Action: filesync

   Write Filesync Reply: filesync

  Write Unstable Action: unstable

   Write Unstable Reply: unstable

Write Transfer Max Size: 1.00M

Write Transfer Multiple: 512

    Write Transfer Size: 512.0K

myisilon-3#

[root@chad /]# mount -o sec=krb5p myisilon.domain.com:/ifs/data/test /nfs_krb5p

[root@chad /]# mount myisilon.domain.com:/ifs/data/test /nfs_sys

[root@chad /]# cd /nfs_krb5p/

[root@chad nfs_krb5p]# touch secret_file

[root@chad nfs_krb5p]# echo "My Secret" > secret_file

[root@chad nfs_krb5p]# cat secret_file

My Secret

[root@chad nfs_krb5p]# cd /nfs_sys/

[root@chad nfs_sys]# ls

secret_file  test

[root@chad nfs_sys]# ls -l

total 51

-rw-r--r--. 1 1000000 root 10 Jul 18 16:55 secret_file

-rw-r--r--. 1 root    root  5 Jul 18 15:43 test

[root@chad nfs_sys]# cat secret_file

My Secret

[root@chad nfs_sys]#

Is this a bug?  If so, is it fixed in a later release?  One way to fix this is to remove AUTH_SYS as an option under NFS default settings but if one needs both AUTH_SYS and krb5 that won't work.

Tags (1)
0 Kudos
2 Replies
Highlighted
MRWA
2 Iron

Re: NFS security issue?

Hello chnelson,

I see no one has been able to answer your question. Please open up a support ticket and lets see if we can get this resolved. If you find out more information please do come back here and let us know what the resolve is!

Thanks

-Michael

0 Kudos
peglarr
2 Iron

Re: NFS security issue?

You can always remove a 'security flavor' from any export.  The flavors are additive, so if you left the default sys flavor enabled, then added krb5p, you get both.  This is not a bug...we allow multiple flavors on any given export.  So, your choices are really to either remove the default sys, and add unix back into the individual exports that need it, or leave the default alone and then remove the unix flavor (and all others) from those exports you want to be krb5p only.  Personally, I'd do the latter, but it's your call.

But yes do open up an SR.  If you are on the very old 7.0.2.1 as stated, at the very least they will advise you about what's been fixed/improved to the current 7.0.2.9, not to mention 7.1.0 or 7.1.1.

Best of luck

Rob

0 Kudos