LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

April 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS April 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: nfs client outbound ports
From:	Dr Andrew C Aitchison <[log in to unmask]>
Reply To:	Dr Andrew C Aitchison <[log in to unmask]>
Date:	Tue, 10 Apr 2012 07:42:54 +0100
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (52 lines)

On Mon, 30 Jan 2012, Elijah Buck wrote:

> Hello,
>
> I have an NFSv3 server that allows mounts from unprivileged ports, and a
> SL6 NFS client with untrusted users (but root is trusted). I want to
> prevent users from mounting the NFS share from an unprivileged port.
>
> My hope was that I could put iptables rules on the SL6 NFS client:
> -A OUTPUT -p tcp -d nfs.ser.ver.ip --dport 2049 --sport 1025:65534 -j DROP
> -A OUTPUT -p udp -d nfs.ser.ver.ip --dport 2049 --sport 1025:65534 -j DROP
>
> I ran wireshark while mounting the nfs share with the resvport option. The
> initial connection to the nfs server port 2049 is on a privileged port, but
> eventually there is an attempt to connect to the nfs port from an
> unprivileged port. With the above rules in place, mounting does not
> succeed.
>
> Is there are a way to specify a range of source ports for the nfs client?
>
> I also tried blocking non-root access, but this also prevented mounting.
> -A OUTPUT -p tcp -d nfs.ser.ver.ip --dport 2049 -m owner ! --uid-owner root
> -j DROP
> -A OUTPUT -p udp -d nfs.ser.ver.ip --dport 2049 -m owner ! --uid-owner root
> -j DROP
>
> Is there a well-known user other than root that also needs access to 2049?

That depends what is on the nfs partition/share.

Since you trust root on the SL6 machine you should be OK to
rely on file permissions to stop users from accessing data
on the NFS share; even though the SL6 machine has access to
the files (and directories) it wont give the SL6 users access
to anything that the permissions and ACLs block.

If the SL6 passwd file clashes with the one on the server
you might want to think about exporting the share with all_squash,
and or anonuid, although those don't do exactly what you want
(see man exports for more about these options).

I don't know much about NFSv4, but I think it has a model which
is nearer to per user mounting, so if it is available on your server
NFSv4 might be worth investigating.

I'm not entirely clear why you want to allow root but not other
users, so may not be thinking of the right solution for you.

-- 
Dr. Andrew C. Aitchison		Computer Officer, DPMMS, Cambridge
[log in to unmask]	http://www.dpmms.cam.ac.uk/~werdna

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV