168383 – mountd / tcp_wrappers not honoring NIS netgroup

Bug 168383 - mountd / tcp_wrappers not honoring NIS netgroup

Summary: mountd / tcp_wrappers not honoring NIS netgroup

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	4.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-09-15 15:42 UTC by Joseph Kotran
Modified:	2010-06-07 05:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-07 05:26:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Joseph Kotran 2005-09-15 15:42:26 UTC

Description of problem:

Via tcp_wrappers and NIS we restrict access to desktop client NFS shares to
members of an NIS netgroup called @trusted_clients.  The Red Hat 4 mountd does
not honor netgroup membership.  As a work around I had to switch to IP based
access control.

Version-Release number of selected component (if applicable):

nfs-utils-1.0.6-46

How reproducible:

Every time

Steps to Reproduce:

1. NIS directory service required.  Netgroup should contain a list of trusted
computers.

2. Tcp_wrappers should be configured as such:

/etc/hosts.allow:

ALL EXCEPT sshd: 127.0.0.1 @trusted_clients
sshd: ALL
portmap: 192.168.2.0/255.255.248.0


/etc/hosts.deny:

ALL: ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &


3. Attempt to mount an Red Hat 4 NFS share from a trusted member of netgroup.
  
Actual results:

On NFS client: Permission denied.

On RedHat 4 NFS share server: Tcp_wrappers / mountd will deny the access request
and email the output of safe_finger to root.

Note: The safe_finger output reports the client via IP, short hostname, and
fully qualified DNS hostname:

mountd-192.168.2.10
mountd-elaine
mountd-elaine.foo.com


Expected results:

The NFS mount should succeed.


Additional info:

As a work around I setup tcp_wrappers /etc/hosts.allow as follows:

ALL EXCEPT mountd sshd: 127.0.0.1 @trusted_clients
sshd: ALL
mountd: 192.168.2.0/255.255.248.0
portmap: 192.168.2.0/255.255.248.0

Comment 3 Joseph Kotran 2005-10-22 14:16:05 UTC

I understand that RedHat advises customers to use IPTables instead of TCP
Wrappers.  Please note that this suggestion is not valid for a corporate LAN
environment.  We are trying to prevent Windows clients from NFS mounting Linux
shares.  The Windows and Linux clients are in the same IP space / pool.

We would have to readdress to accomidate IP TAbles usage.  That is not practical
because boxes often switch to / from Windows and other boxes are dual booted.

- Joe Kotran

Comment 6 chantra 2007-11-04 17:36:09 UTC

Hi Joe,

Even thugh this bug report is 2 years old, I gonna give it a try.

I think I encountered the same issue with sshd service.
I set up netgroup to use an ldap backend. 
I found out that I needed to reload the service after the change were made in
/etc/nsswitch.conf in order to have tcpd resolving the netgroup.

This does not happen on a fedora 7. any changes made are directly taken into
account (which is the expected behaviour).

Can you confirm this?

Note You need to log in before you can comment on or make changes to this bug.