NOTE: Even if you export only specific subdirectories of a filesystem, a malicious client might still obtain access to the entire filesystem because the NFS server on many operating systems (including NetBSD) does not limit access requests to the actually exported subdirectory.
The following directories must have root read/write permissions:
/ /var /etc /devTherefore, the easiest thing would be to export /home and /usr separately from /export/client/root, and without root read/write permissions. This is why /usr and /home are explicitly shuffled around in this HOW-TO. Here's what the directory structure will look like when you're done:
Server (exported directory) | Client |
/export/client/root | / |
/export/client/swap (file) | /swap (file) |
/export/client/usr | /usr |
/export/client/home | /home |
Note that /swap will be mounted as a file.
Also, note that if the server has the same architecture (e.g. Motorola 680X0 microprocessor for NetBSD/hp300 and sun3, Sparc microprocessor for NetBSD/sparc, and Vax microprocessor for NetBSD/vax), and is running NetBSD, then the client will be able to use the /usr directory structure from the server, saving a significant amount of disk space. If this is the case, then you will need to export /usr instead of /export/client/usr from the server.
You need to make sure that you haven't denied any host access via TCP wrappers. Look in /etc/hosts.deny and /etc/hosts.allow for nfsd, mountd, rpcbind, and portmap entries. If you're using these files to restrict nfs access, then you need to either comment out the nfsd, mountd, rpcbind, and/or portmap entries in hosts.deny or add entries for your client in hosts.allow. You'll probably have to kill -HUP these daemons. Note that portmap is tricky, and on some platforms kill -HUP will actually kill it. It may be easiest to reboot your nfs server after changing your host access files.
The nfs servers on some of these platforms have problems, but usually, they can be worked around with a little effort. This will be covered in the next section of this HOW-TO.
Setting up nfs, NetBSD
Setting up nfs, OpenBSD
Setting up nfs, FreeBSD
Setting up nfs, MacOS X and Darwin
Setting up nfs, Linux
Setting up nfs, SunOS
Setting up nfs, Solaris
Setting up nfs, NEWS-OS
Setting up nfs, NEXTSTEP
Setting up nfs, HP-UX 7 (couldn't get it to work)
Setting up nfs, HP-UX 9
Setting up nfs, HP-UX 10 and later
options NFSSERVERThe GENERIC kernel distributed with NetBSD has this compiled in.
#/etc/exports /export/client/root -maproot=root:wheel client.test.net /export/client/swap -maproot=root:wheel client.test.net /export/client/usr -maproot=nobody:nobody client.test.net /export/client/home -maproot=nobody:nobody client.test.net
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
#/etc/exports /export/client/root /export/client/swap -maproot=root:wheel client.test.netFreeBSD is unable to export multiple directories within a filesystem (such as /export) to a client unless all of the directories are listed on a single line in /etc/exports.
You will also need to make sure the your client's /home and /usr are stored in /export/client/root. FreeBSD is unable to set different properties for exported directories, defeating the point of exporting those directories separately (and without -maproot=root:wheel).
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
# nicl . -create /exports/\\/export\\/client\\/root opts maproot=root:wheel # nicl . -create /exports/\\/export\\/client\\/root clients 192.168.0.10 # nicl . -create /exports/\\/export\\/client\\/swap opts maproot=root:wheel # nicl . -create /exports/\\/export\\/client\\/swap clients 192.168.0.10 # nicl . -create /exports/\\/export\\/client\\/usr opts maproot=nobody:nobody # nicl . -create /exports/\\/export\\/client\\/usr clients 192.168.0.10 # nicl . -create /exports/\\/export\\/client\\/home opts maproot=nobody:nobody # nicl . -create /exports/\\/export\\/client\\/home clients 192.168.0.10To later add another client for the same export, you would append to that property (as opposed to the initial create):
# nicl . -append /exports/\\/export\\/client\\/root clients 192.168.0.12
To verify that everything looks good, read it back:
# nicl . -read /exports/\\/export\\/client\\/root name: /export/client/root opts: maproot=root:wheel clients: 192.168.0.10 192.168.0.12
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
#/etc/exports /export/client/root client.test.net(rw,no_root_squash) /export/client/swap client.test.net(rw,no_root_squash) /export/client/usr client.test.net(rw,root_squash) /export/client/home client.test.net(rw,root_squash)
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Kernel NFS Problem:
Most versions of linux only implement NFS2, in which case NetBSD will try NFS3 and then automatically fall back. Some versions (notably RedHat 6.0) will incorrectly answer both NFS2 and NFS3 mount requests, then ignore any attempt to access the filesystem using NFS3. This causes untold pain and hassle.
The workaround is to kill mountd and start it with options preventing NFS3 problems (i.e., rpc.mountd --no-nfs-version 3).
Continue on to setting up the client filesystem
#/etc/exports /export/client/root -root=client /export/client/swap -root=client /export/client/usr /export/client/home
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
share -F nfs -o root=client /export/client/root share -F nfs -o root=client /export/client/swap share -F nfs -o rw=client /export/client/usr share -F nfs -o rw=client /export/client/home
Be certain to use names, if you use numeric IP addresses, Solaris will deny access without any error messages.
If the nfs daemons aren't running, then you will need to run:
# /etc/init.d/nfs.server start
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
#/etc/exports /export/client/root -root=client /export/client/swap -root=client /export/client/usr /export/client/home
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
You may also wish to keep with NEXTSTEP convention and place all of your client files in /private/export/client instead of /export/client.
For reference, here is a snapshot of what the NFSManager Exported Directories window should look like.
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
I don't think HP-UX 7's NFS server allows for restricting root read/write access.
#/etc/exports /export/client/root client.test.net /export/client/swap client.test.net /export/client/usr client.test.net /export/client/home client.test.net
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
#/etc/exports /export/client/root -root=client.test.net /export/client/swap -root=client.test.net /export/client/usr -access=client.test.net /export/client/home -access=client.test.net
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
#/etc/exports /export/client/root -root=client.test.net /export/client/swap -root=client.test.net /export/client/usr -access=client.test.net /export/client/home -access=client.test.net
If the server isn't running the NFS daemons, the client will print:
le(0,0,0,0): Unknown error: code -1 boot: Unknown error: code -1If the server is running NFS, but isn't exporting the root directory to the client, the client will print:
boot: no such file or directoryIf everything is working properly, you will see a few numbers and a spinning cursor on the client. This means you have succeeded! At this point, your client isn't bootable. If you let it continue, it will panic when attempting to start init.
Continue on to setting up the client filesystem
|
|