Session (6) Secure Administration

Network

1

Mounting and Unmounting Filesystems

The filesystem is composed of smaller pieces which are also called filesystem.

Each one of these pieces consists of one directory and its subdirectories and files.

The overall layout of the filesystem is called “file tree”.

Most filesystems are attached to the tree with the mount command.

Mount maps a directory within the existing file tree, called the mounting point, to the root of the newly attached filesystem.

The previous contents of the mount point become inaccessible after a new filesystem is mounted there.

2

1 Mounting a filesystem

An example: % mount /dev/sd1c /users

This mounts the filesystem stored as the disk partition /dev/sd1c under the pathname /users.

Depending on the OS, a file called /etc/fstab, /etc/vfstab, or /etc/checklist keeps the list of filesystems that are customarily mounted.

One can check the information in this file by using: fsck –p. We can also require an automatic mounting of a filesystem using : mount –a.

3

Sample fstab file root_domain#root / advfs rw,userquota,groupquota 0 1 /proc /proc rw,userquota,groupquota 0 0 usr_domain#var /var advfs rw,userquota,groupquota 0 2 tmp_domain#tmp /tmp advfs rw,userquota,groupquota 0 2 users_domain#u /u advfs rw,userquota,groupquota 0 2 student_dmn#csgs /u/csgs advfs rw,userquota,groupquota 0 2 student_dmn#css /u/css advfs rw,userquota,groupquota 0 2 archive_dmn#accts /u/expired advfs rw,userquota,groupquota 0 2 usr_domain#usr /usr advfs rw,userquota,groupquota 0 2 local_dmn#local /usr/local advfs rw,userquota,groupquota 0 2 src_dmn#src /usr/local/src advfs rw,userquota,groupquota 0 2 /usr/local/etc/httpd@sc /usr/local/etc/httpd nfs rw

Six fields: 1) Block special device 4) Mount option 2) Mount point 5) Backup option used by dump

3) Filesystem type 6) For UFS filesystem. Root gets 1, others4 2

2 Sample fstab file

/dev/root / rw,raw=/dev/rroot 0 0 /dev/dsk/dks0d2s7 /home xfs rw,quota 0 0 suphys:/d3 /d3 nfs2 rw,hard,intr,bg,quota 0 0 suphys:/d2 /d2 nfs2 rw,hard,intr,bg,quota 0 0 planck:/physics2 /physics2 nfs2 rw,hard,intr,bg,quota 0 0 mandela:/physics7 /physics7 nfs2 rw,hard,intr,bg,quota 0 0

5

Another Sample fstab file on CS # This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/ / defaults 1 1 LABEL=/boot1 /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm defaults 0 0 none /proc proc defaults 0 0 none /sys defaults 0 0 LABEL=/tmp1 /tmp ext3 defaults 1 2 LABEL=/u/csd /u/csd ext3 defaults 1 2 LABEL=/usr /usr ext3 defaults 1 2 LABEL=/usr/local /usr/local ext3 defaults 1 2 LABEL=/var /var ext3 defaults 1 2 # /dev/sdf1 /usr/local/storage ext3 defaults 1 2 /dev/sde /usr/local/apache2/htdocs ext3 defaults 1 2 /dev/mapper/VolGroup00-swap1 swap swap defaults 0 0 # LABEL=SWAP-sdb1 swap swap defaults 0 0 student.cs.appstate.edu:/usr/local/src /usr/local/src nfs rsize=8192,wsize=8192,hard 0 0 # sc:/usr/local/apache2/htdocs /u/csd/cs/htdocs nfs rsize=8192,wsize=8192,hard 0 0 student:/u/css /u/css nfs rsize=8192,wsize=8192,hard 0 0 student:/u/expired /u/expired nfs rsize=8192,wsize=8192,hard 0 0 student:/u/classes /u/classes nfs rsize=8192,wsize=8192,hard 0 0 student:/u/csgs /u/csgs nfs rsize=8192,wsize=8192,hard 0 0 student:/usr/local/bacula/etc /usr/local/bacula/etc nfs rsize=8192,wsize=8192,hard 0 0 /dev/VolGroup00/math /u/msd ext3 defaults 1 2 /dev/VolGroup00/guest /u/guest ext3 defaults 1 2 6

3 Unmounting a filesystem

To detach a filesystem, one can use umount. An example: % umount /users

This detach the filesystem that is mounted as the /user. If you remember we had mounted /dev/sd1c under the pathname /users.

The umount –f command forces the detachment of a filesystem that is busy (is in use).

Sometimes when you attempt to detach a file system you will get a complaint that file is in use. You can find who is using a mount point by executing: fuser –c mountpoint

Example: fuser –c /user 7

Unmounting a filesystem - cont

The fuser –c mountpoint returns the list process Ids and a code.

% fuser –c /usr /usr 157tm 315ctom ….

The code varies from system to system. • c for process that has its current directory on the filesystem • t for a running program • m for a mapped file (shared library) • r for a process whose root directory is on the filesystem

We can use the ps –fp “process Ids” to find what the processes are.

The fuser –f filename report on the use of a specific file.

The fuser –k filename the offering processes. 8

4 The

The network file system commonly known as NFS allows filesystem sharing among computers on a network.

The shared files are transparent to users as if they are sitting on the same machine.

NFS consists of a number of components: A monitoring protocol, Mount server, Daemons to coordinate basic file service, and several diagnostic utilities.

Part of both the server-side and client-side software resides in the kernel.

NFS has been from stable since its creation in 1985 by Sun Microsystems in 1985. Initial version was 2.0. The later version 3.0 had some improvements including a mechanism that improved the write operation. The new version will send an acknowledgement from the server once the write operation is complete.

9

The Network File System – cont.

NFS runs on top of Remote Procedure Call (RPC) protocol. This protocol defines a system-independent way for processes to communicate over a network.

It is possible to use either UDP or TCP as the transport protocol for NFS.

In its original version, NFS used UDP. Since NFS does its own package sequence reassembly and error checking, UDP and NFS both lack the congestion control algorithms.

Today most systems allow the use of TCP to reduce the severity of the problem. But since the CPUs are becoming fast there seem to be no difference between the two and either option can be used without a major difference in performance.

An addition to NFS called WebNFS was introduced in 1996 by Sun that allows NFS operations over the Internet.

10

5 The Network File System – cont.

Global UID and GID is an important issue when we use NFS. If a file is to be shared between two machines, then the user names and groups on both machines must mean the same thing otherwise there will be security risk involved.

Root access is almost entirely controlled by NFS. By default any request coming with UID 0, will be intercepted by the NFS server and will be changed to something that seem to be coming from an ordinary user.

In most system the “nobody” account is defined specifically for this purpose.

Security tip: The root on the client machine is able to su to other users. So files are not really protected.

Security tip: Also, system logins such as “sys” and “bin” are not UID mapped. Thus, any file they own may come under attacks.

11

The Network File System – cont.

The data transferred via NFS is not encrypted. So a packet sniffer can intercept the process and access the data.

Kerberos was introduced to extend the authentication to RPC.

Security tip: If you are running a firewall, block access to TCP and UDP ports 2049. This port is used by NFS for transport.

An NFS server is the side that “export” a directory to be used by other machines. Solaris uses the word “share” instead.

The client uses mount to access an exported or shared directory.

12

6 13

Disk Quotas

Disk quotas allows you to set a limit on the disk space that a user can have.

It is highly recommended that we use this tool to limit the disk space.

To set the disk quota we can use the edquota command several ways. edquota username – will open a blank sheet where you can set up the limit, allow you to set the limit to give a warning. edquota –p proto-user newuser - will duplicate the same disk quota that previously existed to for a new user.

This command must be run manually. 14

7 Sample /etc/exports file # # NFS exported filesystem database (see exports(4) for more information). # # Entries in this file consist of lines containing the following fields: # # filesystem [ options ] [ netgroup ] [ hostname ] ... # # Filesystem must be left-justified and may name any directory within a # local filesystem. A backslash (\) at the end of a line permits splitting # long lines into shorter ones. Netgroup(4) and hostname refer # to machines or collections of machines to which filesystem is exported. # #/var/spool/pcnfs /home -nohide,rw,access=gills.phys.subr.edu:tashakkori.phys.subr.edu:ali.phys.su br.edu:hermity.phys.subr.edu:suphys.phys.subr.edu:lamb.phys.subr.edu:planck.phys .subr.edu:gauss.phys.subr.edu:mandela.phys.subr.edu:feynman.phys.subr.edu

15

/u/csd/khj be.cs.appstate.edu(rw,async,no_root_squash) \ Sample student.cs.appstate.edu(rw,async,no_root_squash) \ /etc/exports virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/dlc student.cs.appstate.edu(rw,async,no_root_squash) \ file on CS virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/dap student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/aam student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/efb student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/rt student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/jtw student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/blk student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/crr student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/can student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /u/csd/jbf student.cs.appstate.edu(rw,async,no_root_squash) \ virtual.cs.appstate.edu(rw,async,no_root_squash) /usr/local/mailman student.cs.appstate.edu(rw,async,no_root_squash) /usr/local/apache2/htdocs be.cs.appstate.edu(rw,async,no_root_squash) 16 /usr/local/bacula csreal2.cs.appstate.edu(rw,async,no_root_squash)

8