Goals
- get an overview of NFS
- work with NFS
POST
This exercise will be done on your NIS box.
- what is the sun recommended way to make significant network changes to your machine?
- where do you start to troubleshoot if you cannot ping an internet site by IP?
- where do you start to troubleshoot if you cannot ping an internet site by hostname?
- where is NIS information stored for servers?
- where is NIS information stored for clients (binding information, not actual NIS DATA)?
- why don't our NIS logins have home directories?
NFS introduction
- centralization of data
- consistency of data
- leverage SANS, etc
- homedir appears to follow the user around
- share discspace between machines
- do not crossmount
- NFS failures can cause box or app lockups
- NFS mounts can take a while, especially at boot time
- NFS is now TCP transport, but initial contact can be a UDP RCP call to the portmapper to find out where the TCP port is going to be (whew!).
- WebNFS is a little-known NFS variant that works on stable ports (useful through firewalls). Rarely used.
practicum: mounting userdirs on fileserver
- mount options pp. 610-11 (see permissions digression below)
- mount manually:
mount -F nfs [-o options] host:filesystem mountpoint
- mount automatically:
/etc/vfstab
advanced permissions
setuid, setgid
- generally used to elevate rights on a binary; suid scripts are deprecated and many shells and *nix distributions will go out of their way to circumvent privileged execution.
- more on setuid,
a short tutorial,
---s--s--t 7000 setuid, setgid, sticky
---s--s--- 6000 setuid, setgid
---s-----t 5000 setuid, sticky
---s------ 4000 setuid
------s--t 3000 setgid, sticky
---s------ 2000 setgid
---------t 1000 sticky
---------- 0000 none
/usr/bin/find / -user root -perm -4000 -o -perm -2000
Access Control Lists (ACLs) (Solaris only)
File Access Control Lists are a way to achieve finer permissions granularity than normal unix ownership/permissions allows. ACLs are allowed on files and dirs, and dirs can have (and should have) a default ACL.
getfacl shows the current ACL
$ getfacl examplefile
# file: examplefile
# owner: snelling
# group: snelling
user::rw-
group::r-- #effective:r--
mask:r--
other:r--
The main difference here is the presence of a mask which specifies the maximal permission for any non-user (ie, non-owner) account.
setfacl sets the ACL for a file or directory
setfacl -s acl_settings file - set the ACL. cf numerical mode chmod
setfacl -m acl_settings file - modify the ACL. cf symbolic mode chmod
u[ser]::perms
g[roup]::perms
o[ther]:perms
m[ask]:perms
u[ser]:uid:perms
g[roup]:gid:perms
d[efault]:u[ser]::perms
d[efault]:g[roup]::perms
d[efault]:o[ther]:perms
d[efault]:m[ask]:perms
d[efault]:u[ser]:uid:perms
d[efault]:g[roup]:gid:perms
getfacl bar | setfacl -f - foo
RBAC
RBAC is generally implemented via the SMC.
- some utilities are RBAC-aware; some will need to be run through SMC
- may require the creation of roles before granting privs to users
practicum: sharing NFS filesystems
- share options pp. 606-07
- share manually:
share -F nfs [-o options] path
- share automatically:
/etc/dfs/dfstab. Run as a script? Latest mount supersedes preceding ones.
Homework
http://www.mousetrap.net/syllabus/solaris8-nfs/day5.html
$Id: day5.orb,v 1.2 2002/11/15 18:32:05 mouse Exp $
