Tải bản đầy đủ - 0 (trang)
Chapter 18.  Network File System

Chapter 18.  Network File System

Tải bản đầy đủ - 0trang

18.1.TheNFS(In)securityModel

There'snogettingarounditNFSisold.LikeSMTPandsomany

otherprotocols,itwasdesignedatatimewhenthenetwork

wasamuchmoretrustedentity,whenonlytrustedpartieshad

administrativeaccesstohostsonthenetwork,andwhenthe

populationoftheInternetwasmuch,muchlowerthanitis

today.Likeagullibleneighborwithnotoolsleftinhisgarage,

NFSisjusttootrusting.Itsproblemsbeginwiththefactthat

mostNFSimplementations,ratherthansupportinguser-based

authorization,simplymaintainlistsofhostspermittedtomount

particularshares.SinceIPaddressesarerelativelyeasyto

spoof,thisdoesnotamounttoareliablesecurityarchitecture.



NFSsharesarecommonlyknownasexports.Thetermsareusedhere

interchangeablytomorecloselyidentifywithMacOSXServer's

managementtoolsandterminology.



ThisissueisexacerbatedbytheNFSserver'sassumptionthat

theserveranditsclientsshareauserandgroupdatabase.A

userwiththeUniqueID501ontheserverisassumedtohave

thesamefileaccessrightsastheuserwithUniqueID501on

theclient.Theservertruststheclienttoactuallyauthenticate

thatuser.ThismodelisdescribedinFigure18-1.



SomeNFSimplementationshavebeenextendedtosupportsecurity

featuresthateitherhavenotbeenentirelystandardizedorarejustnot

supportedinMacOSXandMacOSXServer.



Figure18-1.NFSassumesthattheuserwitha

UniqueIDof502shouldhavethesameaccess

rightsastheuserwithaUniqueIDof502onthe

client,eventhoughinrealitytheyarenotthe

sameuser.



Tenyearsago,whenonlysystemadministratorscouldcreate

usersandwhen/etc/passwdfileswereregularlymaintainedin

parallel(sothatuserRecordNamesandUniqueID'swerealways

consistentamonghosts),thismighthavebeenanacceptable,if

slightlyshort-sighted,securitymodel.Todayitisvirtually

unworkable.

OneprincipaldownsideofthisbehaviorisaUniqueIDmismatch

(seeFigure18-2).Legitimateusers,becausetheirUniqueIDs

differontheclientandtheserver,maybedeniedaccess,

whereasillegitimateusersmayhaveaccesstofilesthatthey

shouldnothave,becausetheirUniqueIDhappenstomatchthat

ofanotheruserontheserver.Whatisworseisthatanyonewith

administrativeaccesstosuchaclientmightspecificallycreatea

usertomatchUniqueIDswithaserveruser,maliciously

exploitingthisbehavior.Despitetheseshortcomings,NFSisa

viableandcommonprotocolwhenitissecuredproperly.



Figure18-2.UniqueIDmismatchesareacommon



pitfallinNFSdeployment.



18.2.ManagingNFSwithServerAdmin

TheNFSoptionsavailableinServerAdmin,unlikeoptionsfor

otherprotocols,areratherminimal.Thisisprobablybecause

fewNFSsettingsareglobalinnature,andmostare

manipulatedonthesharelevel,inWorkgroupManager.Infact,

there'snotevenanNFSstartorstopoption.Instead,NFSis

startedwheneveritisenabledforanysharepoint.The

Overviewtab,whichillustratesthestateofvariousNFS-related

daemons,isindicatedinFigure18-3.



Figure18-3.TheOverviewsectionofServer

Admin'sNFSmanagementinterfacerevealsthe

stateofseveralNFS-relateddaemons.



AsisthecasewithmostServerAdminservices,thedatafrom

theOverviewpanecanalsobeobtainedfromtheserveradmin

command-lineutility,asshowninExample18-1.



Example18-1.Usingserveradmintoobtainstate

dataaboutMacOSXServerNFSservices.

[ace2:~]nadmin%sudoserveradminfullstatusnfs

nfs:command="getState"

nfs:mountd="STOPPED"

nfs:nsfd="STOPPED"

nfs:rpc.statd="STOPPED"

nfs:state="STOPPED"

nfs:readWriteSettingsVersion=1

nfs:portmap="STOPPED"

nfs:rpc.lockd="RUNNING"



Settings(theonlyotherchoiceinServerAdmin'sNFSinterface,

illustratedinFigure18-4)exposesonlyonepane,called

General.Itsoptions(seeTable18-1)areratherlimitedthe

numberofdaemonsandtheirsupportedprotocolsare

configurable.



Infact,thenumberofdaemonsislimitedtoavaluebetween4and20.

Sinceeachdaemoncanservicemultipleclients,thisvaluedoesnot

implyaspecificlimitationonthenumberofNFSconnections.



Figure18-4.ServerAdmin'sNFSSettings

interface.



ChoosingtheTCPandUDPoptioniscommonlythemost

compatibleprotocolchoice.ClientsthatsupportonlyUDPwill

requestit,andofferingTCPaccess(whichismorereliable,but

oftenslower)willnotpreventthat.

Table18-1.DefaultoptionspassedtotheNFSServerinMacOSX.

Option Description

-t



ServeTCPNFSclients.



-u



ServeUDPNFSclients.



-n6



StartsixNFSservers.Serversaremultithreaded,sothisoptiondoesnotlimitthe

servertosixclients.



TheseoptionsarewrittentoNetInfo,inthe/config/nfsd

directory;seeExample18-2.



Example18-2.UsingdscltoexamineNFS



settings.niclorniutilcouldalsobeused,both

directlyexaminingtheNetInfodatabase.

g5:~nadmin$dscl.-read/config/nfsd

arguments:-t-u-n6

AppleMetaNodeLocation:/NetInfo/DefaultLocalNode

RecordName:nfsd



Theycanalsobeviewedbyusingtheserveradminutility.Some

commandoutput,whichsearchesotherdirectorynodesfor

configuration,hasbeenremovedfromthisoutput:



g5:~nadmin$sudoserveradmincommandnfs:command=readSett

nfs:command="readSettings"

nfs:readStatus=0

nfs:configuration:useTCP=yes

nfs:configuration:useUDP=yes

nfs:configuration:nbDaemons=6

nfs:dsConfiguration:localNodePath="/NetInfo/DefaultLocal

...



Theseoptions,inturn,arereadbytheNFSStartupItem

(/System/Library/StartupItems/NFS),which,ifnooptionsare

present,defaultstothe-t-u-n6optionsspecifiedinthis

example.



18.3.ManagingNFSwithWorkgroupManager

WhiletheglobaloptionsfortheNFSservicearemanagedin

ServerAdmin,per-shareoptionsaremanagedinWorkgroup

Manager,usingtheProtocolstabmentionedearlier(inthe

introductiontoPARTIV).Appropriately,choosingNFSfromthe

pull-downmenuinthatinterfacerevealsNFS-specificoptions

fortheselectedshare,asillustratedinFigure18-5.



Figure18-5.WorkgoupManager'sper-share

optionscontrolNFSaccessandsecurityfeatures

onaper-sharebasis.



NFSistheonlyserviceforwhichaccesstoanewlycreated

shareisdisabled.Thisisforsecurityreasons;asmentioned

earlier,itssharesareexportedtoaspecificlistofhostsrather

thantoaspecificlistofusersorgroups.



Sincethissecuritymodelisrelativelyweak,itmakessensetoensure

thatadministratorsspecificallyenableit.



TheseaccesscontrolsaredefinedinWorkgroupManager's

options.Beaware,however,thatIPaddressesareeasyto

spoof,andthataccesstoNFSprotocolsshouldbelimitedatthe

networklevelaswell,sothatrequestscomeonlyfromphysical

networksknowntobetrusted.

Accesstoanysharemaybelimitedtoaspecificlistofhosts,to

aparticularsubnet,ortotheworld.Subnetaccessisspecified

usingthenetworkaddress(thesubnet'saddresswithallthe

hostbitssetto0;forinstance,192.168.1.0forthatClassC

subnet)andsubnetmask.Grantingworldaccessallows

unlimited,unauthenticatedaccesstotheshareinquestion,and

shouldbeusedonlywithextremecaution,preferablyin

conjunctionwithoneormoreoftheavailablesecurityoptions.



AsofMacOSXServer10.3.4,attemptingtospecifyworldaccessto

multipleNFSsharesonthesamepartition(althoughpermittedinthe

graphicalinterface)resultsinerrors.OnlyoneNFSshareperpartition

mayhaveworldaccess.ThisisalimitationoftheMacOSXNFS

service,notoftheuserinterfaceorofNFSingeneral.



WorkgroupManageralsoexposestwoNFSsecurity

managementoptionsrelatingtoUniqueIDmapping.As



mentionedearlier,anNFSServergenerallytrustsclientsto

informitoftheUniqueIDoftheuseraccessingafileor

directory.Theserverthenassumesthattheuserinquestion

hasthesameUniqueIDontheserver,andthataccesstothefile

canbegrantedordeniedbasedonthisshareduserlistandthe

underlyingfilesystempermissions.

Thisisn'tagoodassumption.Everyuserinitiallycreatedona

MacOSXclient,forexample,hasaUniqueIDof501.Itis

unlikelythatmostofthemillionsofuserswiththeUniqueIDof

501shouldbeauthorizedtoaccessaparticularserverresource.

YetunderNFS'spermissionsmodel,theyallwouldbe.This

behaviorisanissueespeciallyiftheclientclaimsthattheuser

accessingafilehasaUniqueIDof0,whichalwayscorresponds

toroot.Itisatremendouslybadideatotrustaclient,

especiallyone(duetoNFS'slaxauthorizationmodel)validated

onlybyitsIPaddress,tograntordenyrootaccessonyour

server.Alongtheselines,MacOSXServer(likemostotherNFS

servers)allowsforserver-sidesuppressionofrequestsforroot

access.Whenaprocessrunningonaclientclaimstohavea

UniqueIDof0,theserversquashes(thatisthetechnicalterm!)

thisrequest,andinsteadgrantstheaccessthatwouldbegiven

totheusernobody(UniqueID-2).Rootaccessiseffectively

mappedtothatofnobody.Thisisenabledonaper-sharebasis

bythe"MapRootusertonobody"checkbox.

Amorecompletesolution(butoneinvalidatingmultipleuser

accesstotheshare)involvesmappingallrequeststotheuser

nobody.Everyuser,nomatterwhattheirUniqueIDis,always

hastheaccessgrantedtotheusernobody.Thisaccessis

enabledonaper-sharebasisbythe"MapAlluserstonobody"

checkbox.

Thedownsideofbothofthesesecuritymeasuresisthatisthat

certainprocessescannotaccesstheresourceinquestion.Inthe

caseofsquashingrootaccess,thisappliestoalmostallserver

services,whichgenerallyrunasroot.Analternative,exposed

bytheRead-onlycheckbox,enforcesread-onlyaccesstothe



share,regardlessoftheunderlyingfilesystempermissions.

Exposuretomaliciousaccessisreducedsincethefilesystem

cannotbewrittento,butpermissionsmaystillbeusedto

enforcedifferentaccesscontrolsfordifferentusersandgroups.

Alloftheper-shareNFSoptionsinWorkgroupManagerare

savedtotheserver'slocalNetInfodomain.UnlikeAFP,SMB,

andFTPservices,however,theyarenotbufferedintoprotocolspecificoptionsintheshare'sentryin

netinfo://config/SharePoints.Insteadtheyarewrittendirectly

tonetinfo://exports,whichisreadbothbytheNFSStartup

Item(inordertodeterminewhetherornotNFSServicesshould

bestarted)andbythemountdandnfsdprocess,whichare

coveredinmoredepthlaterinthischapter.



g5:~nadmin$dscl.-read/exports/\\/sw

AppleMetaNodeLocation:/NetInfo/DefaultLocalNode

RecordName:/sw

VFSOpts:romapall=nobodynetwork=192.168.1.0mask=255.255.

g5:~nadmin$nicl.-read/exports/\\/sw

name:/sw

opts:romapall=nobodynetwork=192.168.1.0mask=255.255.255



EachoptioninWorkgroupManagercorrespondstoadifferent

NetInfoattribute.Theseattributes,alongwiththeirabstracted

OpenDirectorynames,appearinTable18-2.

Table18-2.AnalysisofNFSsharepointsandtheirdirectoryattributes.

FormoreinformationonOpenDirectory'sabstractionandnaming,see

theintroductiontoPartIIandtheAppendix.

NetInfoattribute

name



OpenDirectoryattribute

Description

name



name



RecordName



Nameoftheshare



opts



VFSOpts



Space-delineatedstringsdescribingshare



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 18.  Network File System

Tải bản đầy đủ ngay(0 tr)

×