How we do custom NFS mount authorization on Solaris 10

Suppose that you want to use some custom method of authenticating and authorizing NFS mounts, and that your fileservers are Solaris 10 systems (although the same general approach could probably work elsewhere). Further suppose that you don't have the source to mountd, or at least don't want to modify it for various sensible reasons. Fortunately, there is an evil hack that you can commit that will let you do whatever authorization checks that you need.

(When thinking about all of this, remember that NFS mount security has limits.)

Solaris, like most systems, will let you export filesystem to (NIS) netgroups. Solaris also has an /etc/nsswitch.conf file to specify how netgroups (among other things) are looked up (in fact it originated the idea). And finally, one of the little-used features of nsswitch.conf is that you can write your own library to be a new lookup service (that you can then use in nsswitch.conf).

So, the evil hack is to hijack mountd's netgroup lookups to do your own authorization by having your own custom library set as the service for netgroups in nsswitch.conf. When you export a filesystem to a netgroup and a client tries to mount the filesystem, mountd will wind up calling innetgr() to see if the machine is in the netgroup, which will wind up calling a function in your lookup service library, and this function can use whatever mechanism you want to decide whether to say yes or no.

(Essentially what you're doing is hijacking 'netgroups' to pass magic tokens through mountd to your authorization library. Note that your library will get the same information that innetgr() does, which gives it both the client host and the netgroup name.)

One drawback of this approach is that your authorization library must perform all of the authorization checking, because you can't tell mountd to export something to host X but only if it's also in netgroup Y.

We use this here on our Solaris 10 fileservers, and it works fine (with some caveats that don't fit in this entry). The basic idea can probably be applied on any Unix with an /etc/nsswitch.conf and enough documentation on it to let you write new lookup services.

(The usual disclaimer: I didn't come up with this, I'm just writing it up.)

Sidebar: ways to use this

There are two ways that I can think of for using this:

  • for extended host authentication; you have some mechanism to have netgroup-like lists of machines, but you do additional verification that the IP address actually is the real host instead of an imposter. You'll have groups of machines in 'netgroups', and export things to various different netgroups, and it will all look quite normal to the casual observer.

  • to have a completely new authorization system. Here the only thing the netgroup names are used for is so that your own authorization system knows what it's being asked to authorize.

Our use of this is the first sort, for extended host authentication.

These are my WanderingThoughts
(About the blog)

GettingAround
Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.

* * *

Atom feeds are available; see the bottom of most pages.

This is a DWiki.
(Help)

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

Search:
Written on 30 July 2009.
(Previous | Next)
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Thu Jul 30 03:22:40 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.