Problem
How to restrict NFS share access to a particular server in HP-UX?
I had an NFS shared directory (/testlogs) on my HP-UX server DBSERVER and it was exported to a particular host DBCLIENT1. directory /testlogs was mounted on the DBCLIENT1 and it was working fine. One day during some security testing it was found that NFS shared directory (/testlog) can be mounted on any host (which can access the DBSERVER) which was a very critical vulnerability. Due to this vulnerability, an attacker may be able to leverage this to read (and possibly write) files on a remote host i.e. DBSERVER.
NFS sharing configuration for /testlogs was as shown below in /etc/dfs/dfstab file:
# vi /etc/dfs/dfstab . . "/etc/dfs/dfstab" [Read only] 9 lines, 394 characters # place share(1M) commands here for automatic execution # on entering init state 3. # # share [-F fstype] [ -o options] [-d ""] # .e.g, # share -F nfs -o rw=engineering -d "home dirs" /home /usr/sbin/share -F nfs -o rw=DBCLIENT1 /testlogs . .
Reason
Share the pathname read-mostly if the sec= option is not provided. Read-mostly means read-write to those clients specified and read-only for all other systems. If a sec= option is provided, the pathname is shared read/write only to the listed clients. No other systems can access pathname.
Solution
Use a combination of the ‘sec‘ keyword and ‘ro‘ or ‘rw‘ access for specific hosts in the /etc/dfs/dfstab. I have changed the /etc/dfs/dfstab file as shown below to share the /testlogs explicitly to DBCLIENT1.
# vi /etc/dfs/dfstab . . "/etc/dfs/dfstab" [Read only] 9 lines, 394 characters # place share(1M) commands here for automatic execution # on entering init state 3. # # share [-F fstype] [ -o options] [-d ""] # .e.g, # share -F nfs -o rw=engineering -d "home dirs" /home /usr/sbin/share -F nfs -o sec=sys,ro=DBCLIENT1 /testlogs . .
After making the changes in the /etc/dfs/dfstab file run the exportfs -a command to come to the changes in effect.
# exportfs -a
Now mount the /testlogs on DBCLIENT1, it will be successfully mounted and will be accessible.
[root@DBCLIENT1 ~]# mount DBSERVER:/testlogs /home/testlogs [root@DBCLIENT1 ~]# df -h Filesystem Size Used Avail Use% Mounted on DBSERVER:/testlogs 5.0G 750M 4.3G 15% /home/testlogs [root@DBCLIENT1 ~]#
Now if anyone tries to mount the /testlogs on any other server like DBCLIENT2 then he will find the access denied message as shown below:
[root@DBCLIENT2 ~]# mount DBSERVER:/testlogs /home/testlogs mount.nfs: access denied by server while mounting DBSERVER:/testlogs [root@DBCLIENT2 ~]#
Last updated: Nov 27, 2018
Related Posts
- How to Find NIC (Network Interface Card) Details in HP-UX
- How to Install a .depot Package Using swinstall on HP-UX
- HP-UX: How to restrict NFS share access to a particular server?
- crontab: you are not authorized to use cron. Sorry. in HP-UX
- HP-UX: SSH taking too much time after adding the DNS Servers
- How to add DNS servers on an HP-UX server
- How to login to vPar console in HP-UX
- How to extend the size of Logical Volume (LV) in HP-UX
- How to determine file system type in HP-UX using command
- How to check vPar machines status in HP-UX
- How to find HBA cards/ports and WWN Number details in HP-UX (nPar)
- How to find HBA cards/ports and WWN Number details in HP-UX (vPar)
- HP-UX command to get Physical Memory Information
- HP-UX command to get Processor Information
- HP-UX command to get Hardware Serial Number
- su: Sorry in HP-UX while switching from normal user to root user
- SSH login taking too much time on HP-UX 11.31
- How to Disable Root SHH Login in HP-UX?
- hpvmstatus: HPVM currently not running.
- How to view/print routing table in HP-UX?
- Create a Logical Volume larger than 2TB and format it in HP-UX
- Protect SSH Logins with SSH and MOTD Banner Messages in HP-UX
- Remove welcome message after login in HP-UX 11.31
- Create a Logical Volume and format it in HP-UX
- How to rescan new LUNs added in HP-UX 11.31
- How to reboot a HP-UX machine?
- How to remove File System, LV and VG in HP-UX and Linux?
- How to remove NO_HW devices from ioscan in HP-UX without a reboot?
- Change root user password of vpar machine in HP-UX