Unsolved
This post is more than 5 years old
1 Message
0
1102
NFS security issue?
Hello,
I am running OneFS 7.0.2.1 and am noticing something strange with NFS. This is a clean implementation that is joined to Active Directory and has Kerberos set up and functioning for NFS v4. I set up an export to use Kerberos 5 Privacy mode (krb5p) which works but I can also mount using auth_sys even though that isn't specified as an option. The default export was deleted as well. See below for my screen dumps.
myisilon-3# isi nfs exports list
ID Paths Description
-------------------------------
2 /ifs/data/test
-------------------------------
Total: 1
myisilon-3# isi nfs exports view 2
ID: 2
Paths: /ifs/data/test
Description:
Clients: -
Root Clients: -
Read Only Clients: -
Read Write Clients: -
Unresolved Clients: -
All Dirs: No
Block Size: 8.0K
Can Set Time: Yes
Commit Asynchronous: No
Directory Transfer Size: 128.0K
Encoding: DEFAULT
Map Lookup UID: Yes
Map Retry: Yes
Map All
User : -
Groups : -
Map Root
User : nobody
Groups : -
Map Full: Yes
Max File Size: 8192.00000P
Read Only: No
Readdirplus: Yes
Readdirplus Prefetch: 10
Return 32Bit File Ids: No
Read Transfer Max Size: 1.00M
Read Transfer Multiple: 512
Read Transfer Size: 128.0K
Security Type: krb5p
Setattr Asynchronous: No
Symlinks: Yes
Time Delta: 1e-09
Write Datasync Action: datasync
Write Datasync Reply: datasync
Write Filesync Action: filesync
Write Filesync Reply: filesync
Write Unstable Action: unstable
Write Unstable Reply: unstable
Write Transfer Max Size: 1.00M
Write Transfer Multiple: 512
Write Transfer Size: 512.0K
myisilon-3#
[root@chad /]# mount -o sec=krb5p myisilon.domain.com:/ifs/data/test /nfs_krb5p
[root@chad /]# mount myisilon.domain.com:/ifs/data/test /nfs_sys
[root@chad /]# cd /nfs_krb5p/
[root@chad nfs_krb5p]# touch secret_file
[root@chad nfs_krb5p]# echo "My Secret" > secret_file
[root@chad nfs_krb5p]# cat secret_file
My Secret
[root@chad nfs_krb5p]# cd /nfs_sys/
[root@chad nfs_sys]# ls
secret_file test
[root@chad nfs_sys]# ls -l
total 51
-rw-r--r--. 1 1000000 root 10 Jul 18 16:55 secret_file
-rw-r--r--. 1 root root 5 Jul 18 15:43 test
[root@chad nfs_sys]# cat secret_file
My Secret
[root@chad nfs_sys]#
Is this a bug? If so, is it fixed in a later release? One way to fix this is to remove AUTH_SYS as an option under NFS default settings but if one needs both AUTH_SYS and krb5 that won't work.
MRWA
83 Posts
0
July 23rd, 2014 09:00
Hello chnelson,
I see no one has been able to answer your question. Please open up a support ticket and lets see if we can get this resolved. If you find out more information please do come back here and let us know what the resolve is!
Thanks
-Michael
peglarr
99 Posts
0
July 23rd, 2014 10:00
You can always remove a 'security flavor' from any export. The flavors are additive, so if you left the default sys flavor enabled, then added krb5p, you get both. This is not a bug...we allow multiple flavors on any given export. So, your choices are really to either remove the default sys, and add unix back into the individual exports that need it, or leave the default alone and then remove the unix flavor (and all others) from those exports you want to be krb5p only. Personally, I'd do the latter, but it's your call.
But yes do open up an SR. If you are on the very old 7.0.2.1 as stated, at the very least they will advise you about what's been fixed/improved to the current 7.0.2.9, not to mention 7.1.0 or 7.1.1.
Best of luck
Rob