Bug 1327194 - remove sec=sys from the "kerberized" export
Summary: remove sec=sys from the "kerberized" export
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.7
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: ---
Assignee: Marc Muehlfeld
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-14 12:22 UTC by ben haubeck
Modified: 2016-05-11 07:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-11 07:08:40 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description ben haubeck 2016-04-14 12:22:55 UTC 
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html

Section Number and Name: 
Chapter 18.3.1 Step 8 "Edit the /etc/exports file and add the Kerberos information:"

Describe the issue: 
in our documentation it describe how to export the export with sec=sys AND with sec=krb5[i|p], so it offers this for copy and paste:

/export  *(rw,sec=sys:krb5:krb5i:krb5p)

From my point of view this is but, because it is not adding any security to your environment as any not-so-kind-user, that is not voluntarily using kerberos, can mount the share with sec=sys and as we put the star in front, nearly everyone can mount the share. 
I agree, that this will not be done by the automounting IPA-clients that are configured according to our further documentation, but as I said: this leaves the door really wide open, AND there is no need for it.

Suggestions for improvement: 
change it to:

/export  *(rw,sec=krb5:krb5i:krb5p)

Additional information:
Comment 3 Marc Muehlfeld 2016-04-20 13:30:04 UTC 
I fixed the example.
Note You need to log in before you can comment on or make changes to this bug.