NFS

From SME Server
Jump to navigation Jump to search

Nfs.jpg

Security and NFS

Something Interesting that will scare you http://www.tldp.org/HOWTO/NFS-HOWTO/security.html


Installation

For SME8

1. Install the smeserver-nfs contrib like this:

yum install smeserver-nfs --enablerepo=smecontribs

2. Then execute the following:

  • sme8
config setprop nfs status enabled
config setprop portmap status enabled
config setprop nfslock status enabled

3. Edit /etc/exports to add the directories to be shared (this line exports user home directories and ibays):

/home/e-smith/files    *.mydomain(rw,sync,no_wdelay,nohide,no_root_squash)
/home/e-smith/files  – shared directory

192.168.1.0/24           – IP address range of clients
or
*.mydomain               – Domain's client allowed

rw                       – Writable permission to shared folder
sync                     – Synchronize shared directory
no_root_squash           – Enable root privilege
no_all_squash            – Enable user’s authority

if you want to see all your exports

showmount -e


  Note:
Make sure to leave a blank line at the end of the file.


securing NFS Securing2

4. Then, the following, which will reboot the server:

signal-event post-upgrade; signal-event reboot


Couple of notes whilst installing on SME8.....

DB options as follows - status disabled by default :

nfs=service
   TCPPorts=2049,4002,4003
   UDPPorts=2049,4002,4003
   access=private
   mountdPort=4002
   rquotadPort=4003
   status=disabled
nfslock=service
   TCPPorts=4000,4001,4004
   UDPPorts=4000,4001,4004
   access=private
   lockdPort=4001
   statdOutgoingPort=4004
   statdPort=4000
   status=disabled
portmap=service
   TCPPort=111
   UDPPort=111
   access=private
   status=disabled

After installation & reboot you should be able to update with

signal-event remoteaccess-update

However, I don't think this starts/restarts portmap, hence the reboot on install which should not really be necessary.


For SME9

yum install --enablerepo=smecontribs smeserver-nfs

You need to activate the service

signal-event nfs-update
config set UnsavedChanges no

or if you prefer to restart your server

signal-event post-upgrade; signal-event reboot
  Note:
For security Reasons you can not enable Your NFS Share in 'Read and Write, No Root Squash and Insecure' options for the whole local network, you have to specify each IP allowed for these insecure settings.


Usage

  • Each IP needs to be allowed if you want write permissions. For read only permissions, you can open the share to all defined local network in the server-manager
  • The NFS share works with Ibays whose the system of permissions are Group based and inherited from the ibay panel. Therefore for changing write/read and group permissions you can do it in the NFS Ibay panel. You have at the top of the NFS panel boxes on the state of permissions and the group ownership.
  • NFS works with UID and GID, the user id and group id of the client system are sent in each RPC call, and the permissions these IDs have on the file being accessed are checked on the server. For this to work, the UID and GIDs must be the same on the server and the clients.


Read permissions

- you can easily allow the share in read permission for the local network and for all defined IP (go to the NFS ibay panel and set the User access to write=group, read=everyone, enabled the share, and allow IP(s) or the local network in the nfs panel)


Write and read permission for group

- you have to set a group which owns the ibay (in the NFS ibay panel) and change the permissions to Write=group, Read=Group

- All users both in the server and in the clients need to be members of that group with the same GID.

- you have to share the same UID for users between the server and the client

for example the user Helene must share the same UID and GID between the SME Server and the remote client

on remote client
# id helene
uid=5006(helene) gid=5006(helene) groupes=5006(helene),5002(famille)
on SME Server
# id helene
uid=5006(helene) gid=5006(helene) groupes=5006(helene),500(shared),5002(famille)


  Warning:
IF the option no_root_squash is set, the root and all sudoers of every allowed servers to the nfs share are able to write without controls in the ibay.



UID/GID

  • see informations of a user
id USER
  • change the uid of a user
usermod -u UID USER_NAME
  • create a group
groupadd -g GID -o GROUPE_NAME
  • modify the GID of a group
groupmod -o -g GID GROUPE_NAME
  • add a principal group to a user
usermod -g GROUP_NAME_OR_GID USER_NAME
  • add a secondary group to a user
usermod -a -G GROUP_NAME_OR_GID USER_NAME


Manual Settings for specific needs

Nfs offers a lot of parameters and you may need some specific settings that it would be difficult or dangerous to let them in all hands. So for some cases you can enable by db command your nfs shares

but you cannot :

  • use the wildcard '*'
  • open your shares to ip(s) outside of your local network(s)
  • use a domain to define your shares, the ip or the network are a mandatory
  • use the root '/'
  • let a space between the ip and its share definition

IF you want to do all these dangerous things, then you need to do them by custom templates.

How enable specific rules (the name of the rule is free):

config setprop nfs-rules MYRULE "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.0/22(nohide,sync,wdelay,rw,no_root_squash,secure)"

or

 config setprop nfs-rules RULE2 "/home/e-smith/files/ibays/IBAYNAME/files 192.168.14.154(nohide,sync,wdelay,rw,no_root_squash,secure)"

There is no analysis of the share settings, ditto for the path of the folder you want to share (except for the '/')

once modified

signal-event nfs-conf

or if you want to see if you haven't done a misconfiguration

expand-template /etc/exports
service nfs restart

don't forget that you can see the mounted shares and the configuration file

showmount -e

and

less /etc/exports


Common Mount permission options

rw              read/write permissions
ro              read-only permissions
insecure        Allows the use of ports over 1024
sync            Specifies that all changes must be written to disk before a command completes
no_wdelay       Forces the writing of changes immediately
root_squash     Prevents root users
no_root_squash  Allow root users


Couple of notes whilst installing on SME9.....

DB options as follows - status enabled by default :

nfs=service
   TCPPorts=2049,4002,4003
   UDPPorts=2049,4002,4003
   access=private
   mountdPort=4002
   rquotadPort=4003
   status=enabled
nfslock=service
   TCPPorts=4000,4001,4004
   UDPPorts=4000,4001,4004
   access=private
   lockdPort=4001
   statdOutgoingPort=4004
   statdPort=4000
   status=enabled
rpcbind=service
   TCPPort=111
   UDPPort=111
   access=private
   status=enabled

you should be able to update with

signal-event nfs-update


Exported folders overview

You can have an overview of all exported folders and see for which ip/network they are allowed.

# showmount -e
Export list for hpcompact:
/home/e-smith/files/ibays/toto/files        192.168.15.0/24,192.168.12.0/24
/home/e-smith/files/ibays/laurence/files    192.168.12.100,192.168.12.125
/home/e-smith/files/ibays/dolibarr/files    192.168.15.0/24,192.168.12.0/24
/home/e-smith/files/ibays/admin_25465/files 192.168.15.0/24,192.168.12.0/24


Show connected clients

netstat -an | grep nfs.server.ip:port
  • for example if you nfs server IP is 192.168.12.125
# netstat -an | grep 192.168.12.125:2049
tcp        0      0 192.168.12.125:2049         192.168.12.25:850           ESTABLISHED


Linux Client

  • nfs-utils

yum install nfs-utils

  • mount the network share
mkdir /mnt/partage
mount -t nfs 192.168.xx.xxx:/home/e-smith/files /mnt/partage
ll /mnt/partage
  • mount the network share in the fstab

If you want to get mounted the NFS remote share at boot, you can add it in your fstab

Eg

192.168.XX.205:/mirror/mirror/smeserver-repo  /home/build/smeserver/ nfs rw  0 0
  • Timeout

Nfs can have a really long timeout, if you want to avoid it you can do

mount -t nfs -o nolock,timeo=30,retrans=1,retry=0 192.168.xx.xxx:/home/e-smith/files /mnt/partage
  • timeo : The -o timeo option allows designation of the length of time, in tenths of seconds, that the client will wait until it decides it will not get a reply from the server, and must try to send the request again. The default value is 7 tenths of a second
  • retrans : The -o retrans option allows designation of the number of timeouts allowed before the client gives up, and displays the Server not responding message. The default value is 3 attempts.
  • retry : The number of minutes that the mount command retries an NFS mount operation in the foreground or background before giving up. If a value of zero is specified, the mount command exits immediately after the first failure. If this option is not specified, the default value for foreground mounts is 2 minutes, and the default value for background mounts is 10000 minutes (80 minutes shy of one week).

Documentation

Additional documentation: