squeak!
Syllabus Homepage
Course Overview
Course resources
Day 1
Day 2
Day 3
Day 4
Day 5
Day 6
Day 7
Day 8
Common errors
Internet Glossary
About Your Instructor
Credits: This site powered by the vi text editor, apache webserver, perl scripting, and Debian linux.
squeak!

solaris8 II - Day 6

Goals

  • work with ACLs and RBAC
  • use sudo

POST

This exercise will be done on your box.
  1. what filesystems are NFS mountable on nis?
  2. what filesystems are NFS mountable on r118-02?
  3. what filesystems are NFS mountable on your own box?
  4. make a directory called /day6post.
  5. in that directory, make a file called readme.
  6. change the the file to belong to the students group.
  7. give the group write permission. The world should not have write perms.
  8. temporarily share the directory.
  9. mount each of the other student's /day6post directory.
  10. access that directory as root. Can you alter the file?
  11. access that directory as your normal user. Can you alter the file?
  12. how could you limit the boxes that could mount the directory?

advanced permissions

 
---s--s--t 7000 setuid, setgid, sticky 
---s--s--- 6000 setuid, setgid
---s-----t 5000 setuid, sticky
---s------ 4000 setuid
------s--t 3000 setgid, sticky
---s------ 2000 setgid
---------t 1000 sticky
---------- 0000 none


/usr/bin/find / -user root -perm -4000 -o -perm -2000
  • Access Control Lists (ACLs) (Solaris only) File Access Control Lists are a way to achieve finer permissions granularity than normal unix ownership/permissions allows. ACLs are allowed on files and dirs, and dirs can have (and should have) a default ACL.

    • getfacl shows the current ACL 
      $ getfacl examplefile

# file: examplefile
# owner: snelling
# group: snelling
user::rw-
group::r--              #effective:r--
mask:r--
other:r--

      The main difference here is the presence of a mask which specifies the maximal permission for any non-user (ie, non-owner) account.

    • setfacl sets the ACL for a file or directory
      setfacl -s acl_settings file - set the ACL. cf numerical mode chmod
      setfacl -m acl_settings file - modify the ACL. cf symbolic mode chmod 
      u[ser]::perms
g[roup]::perms
o[ther]:perms
m[ask]:perms
u[ser]:uid:perms
g[roup]:gid:perms
d[efault]:u[ser]::perms
d[efault]:g[roup]::perms
d[efault]:o[ther]:perms
d[efault]:m[ask]:perms
d[efault]:u[ser]:uid:perms
d[efault]:g[roup]:gid:perms

    getfacl bar | setfacl -f - foo

  • RBAC RBAC is generally implemented via the SMC.
    1. some utilities are RBAC-aware; some will need to be run through SMC
    2. may require the creation of roles before granting privs to users

    NFS permissions and security

    • root allowed from other hosts
    • /etc/exports
    • export ro where possible
    • remove g+w perms on share dirs
    • export data, not executables
    • root ownership can protect files because of the anonymous remapping
    • do not export dirs with world-writeable perms
    • possible: use fsirand to randomize fsID numbers.
    • showmount -e host probe for unnecessary shares
    • problems: client/server spoofing, unencrypted traffic, unix fs security, UNIX_SECURITY rpc authentication.
    • NFS client or server, not both (related: crossmounting)
    • consolidate mounts onto a central server, rather than spreading them out
    • check for cd /; cd .. problems at the top of the imported fs (mainly diskless workstations)
    • don't export share homedirs if possible
    • pull unwanted exports with unshare

    NFS failover

    Only works with ro mounts. mount -F nfs -o ro host1:/somedir,host2:/somedir /mydir

    NFS logging (solaris 8 only)

    • eyeball /etc/nfs/nfslog.conf to set paths, etc
    • eyeball /etc/default/nfslogd to see logging detail, etc
    • when mounting, use the -o log=global
    • see if /usr/lib/nfs/nfslogd is running; start.

    Cached NFS

    Can mount remote (or even local) FSs, to improve "throughput"."Read Mostly".

    some definitions:

    • backfstype: nfs
    • backfs system: host:/path
    • cache: the cached data
    • cache dir: the dir containing the cache

    Setting up a cachefs

    1. set up a cache directory
    2. create the cache: cfsadmin -c directory (all cachefs mounts share same cache)
    3. mount the fs like this: mount -F cachefs -o backfstype=nfs,cachedir=/path host1:/path /mypath
    4. check cachefsstat /mypath

    Deleting a cachefs

    1. unmount the fs
    2. cfsadmin -l to get IDs
    3. cfsadmin -d cache-id /dir
    4. fsck -F cachefs /path/cache1 to reset resource info

    autofs/automounter

    • client-side; the remote fs is always exported
    • allows user-enabled mounting
    • speeds up boot
    • minimizes memory overhead
    • minimizes network traffic
    • falls off after 10m or so.
    • easier to shutdown/reboot an exporting box
    • do not mix manually and auto mounting for the same mount!
    • autofs behaviour controlled by maps.
    • auto_master: /net -hosts -nosuid,nobrowse sets up default automounts of /export

    setting up an automount

    • eyeball /etc/init.d/autofs
    • eyeball /etc/auto_master: format: mountpoint map -options
    • set up map (more than one mount can share): 
      /mymountpoint -o options host1:/remotepoint
/mymountpoint2 -o options host2:/remotepoint2

    automount -t interval in seconds -v. 10-30 mins is most efficient time.

    Homework

    http://www.mousetrap.net/syllabus/solaris8-nfs/day6.html
    $Id: day6.orb,v 1.5 2002/11/20 00:14:58 mouse Exp $

    • © 1994-2002 jason carr.
    distributed under the terms of the GNU Free Documentation License.

    jason carr

    Reminders

    • Classroom temperature can be wildly variable. Dress lightly and bring layers.
    • your username is based on the class title and the last two digits of your workstation's hostname.
    • remember to take your work with you.