SUMMARY: /etc/netgroup and /etc/exports - how do they work together?

From: Ove Hansen (hansen@SCR.SLB.COM)
Date: Mon Aug 10 1992 - 15:37:34 CDT


A week ago I asked the following question, and as usual got a lot of answers,
all of which were very helpful (the entire originale query is attached at the
end):

# ... does this mean that I can't give root access to a netgroup, but have to
# list all the clients I would grant root access in the exports file?

Indeed it does: one can only use netgroups for the "-access" part, NOT for
the "-root" part where one HAS to use host names. Furthermore one cannot
specify more than 10 (some said 12) hosts after "-root=...". So, the
following entry in my /etc/exports:

/export/accesstest -root=xyz

would be valid if "xyz" is a host, but INVALID if "xyz" is a netgroup.

Now, if the machines that one wants to make a filesystem available to are
exactly the ones that one wants to give root access to, the following
would probably work (suggested by several people but not actually tested
by myself...):

/export/accesstest -access=trustedhosts:anon=0

barmar@Think.COM explains:

> The general rule is that options that must be checked on every packet
> (root, rw) can only use hostnames, while options that are only checked at
> mount time (access) can be netgroups. Doing a netgroup search for every
> NFS request that has either a uid of 0 and specifies a write operation
> would be very expensive.

I also asked:

# ... the last part of the triple is the `domainname'. `man netgroup' says
# "the field refers to the domain in which the triple is valid, not the domain
# containing the trusted host". I only have one NIS domain. Should I then leave
# the field empty? Does this have any security implications?

macphed@dvinci.usask.ca and miker@sbcoc.com explain:

> What it means is that the last part of the triple is ignored in most cases.
> If a domain other than your own is specified, your machine should do a
> lookup in that domain for the specified machine.

> The domainname comment in netgroup is basically telling you that if a
> domainname is specified, it must match the host ON WHICH THE COMPARISON
> IS BEING DONE

So, for my case where I only have one domain it should be left blank. The
field does not serve any security purposes, as the man page says.

On the sideline, a couple of people pointed out that if I specify a netgroup
in /etc/netgroup as

allhosts (,,)

and specify "-access=allhosts" this will in fact give access to ALL HOSTS ON
THE INTERNET (as I am connected to it, so are most of you, I guess) , which
is not exactly what I want. So, the correct way of specifying "allhosts" for
me would probably be to make /etc/netgroup say something along the lines of:

sun4s (host1,,) (host2,,) ...
sun3s (hostx,,) (hosty,,) ...
allsuns sun4s sun3s
macs (mac1,,) (mac2,,) ...
allhosts sun4s sun3s macs ...

Thanks to:
----------
Jonathan C. Davis <Jonathan.C.Davis@acenet.auburn.edu>
djm%blue%millidc@uunet.UU.NET (Drew Montag)
warren@milner.mitre.org
smc@goshawk.LANL.GOV (Susan Coghlan)
phil@pex.eecs.nwu.edu (William LeFebvre)
warlick@theophilus.msfc.nasa.gov (Chuck Warlick)
Tom.Pitman@UC.Edu (Tom Pitman)
poffen@sj.ate.slb.com (Russ Poffenberger)
Kerien Fitzpatrick <fitz@frc2.frc.ri.cmu.edu>
montjoy@thor.ece.uc.EDU (Robert Montjoy)
Barry Margolin <barmar@Think.COM>
geertj@ica.philips.nl
Dave Mitchell <D.Mitchell@dcs.sheffield.ac.uk>
Koper.Jamgocyan@rcvie.co.at (Koper Jamgocyan)
osicki@hasler.ascom.ch (Osicki Chris)
pla_jfi@pki-nbg.philips.de (Karl-Jose Filler)
trinkle@cs.purdue.edu
mcgraw@sunspot.sunspot.noao.edu (Robert McGraw)
hanh@mars.cse.fau.edu (Hanh Vu - xt 2801 )
andys@internet.sbi.com (Andy Sherman)
macphed@dvinci.usask.ca (Ian MacPhedran)
lemke@MITL.COM (Kennedy Lemke)
muir%wdceng%dasun@sunkist.West.Sun.COM (Scott Muir (Muir) x6764)
Jon Peatfield <J.S.Peatfield@damtp.cambridge.ac.uk>
Mike Raffety <miker@sbcoc.com>
kevins@corn.Japan.Sun.COM (Kevin Sheehan {Consulting Poster Child})
janisl@cnplss1.cnps.philips.nl (Janis Lykakis)
(and others I might unintentionally have forgotten to include).

=================== ORIGINAL MESSAGE FOLLOWS ================================

I'm confused. According to the manual I ought to be able to export a file
system the following way:

platinum# grep calendar exports
/export/accesstest -root=trustedhosts

where `allhosts' could be defined in /etc/netgroup (and NIS map) as:

platinum# ypcat -k netgroup
trustedhosts (,-,)

This should (at least in theory) give root access to all systems.
But now, if I try to export the file system I get:

platinum# exportfs /export/accesstest
exportfs: allhosts: unknown host

OK, `allhosts' is not in the hosts file or NIS map, but *is* present in
the netgroup file and NIS map. So why do I get `unknown host' when I try
to export the file system?

If I export the file system with the following, it works fine:

/export/accesstest -access=trustedhosts

So does this mean that I can't give root access to a netgroup, but have to
list all the clients I would grant root access in the exports file?

Also: the last part of the triple is the `domainname'. `man netgroup' says
"the field refers to the domain in which the triple is valid, not the domain
containing the trusted host". I only have one NIS domain. Should I then leave
the field empty? Does this have any security implications? (the man page says
`no', but I don't always trust what `man' says...)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:47 CDT