root user and nfs mounts
-BEGIN PGP SIGNED MESSAGE- Currently I mount my home directory from a departmental AIX machine using the following exports on the AIX machine: /home3/telmerco -access=sargan:terrapin and the following fstab on my debian hamm machine: qed:/home3/telmerco /home/telmerco/qed nfs defaults 0 0 Given this setup, as root I cannot cd into /home/telmerco/qed. However, when I run tob (tape backup program) every night (from a root crontab), I would like to back up my files from this nfs mount along with the local files. Currently, I have user telmerco run a crontab job just before the tob job which makes a tar file of all my files in the nfs mount and stores it in /home/telmerco so the root tob job can back them up. This leaves a large tgz file lying around, and altough I could just put a command to erase it after the tob job is done, I would prefer to do it a much cleaner way by allowing root to traverse the nfs mount (as long it is safe and the are no heavy security concerns on the AIX sysadmin's part). I dug through the man pages for nfs(5) and mount(8) and it seems like I could use something that maps root uid 0 to an anon uid that I specify, for example, 208 (telmerco's uid). Is this possible? Is it safe? And finally, is there a better way to do it? Cheers, Colin. - -- Colin R. Telmer, Institute of Intergovernmental Relations School of Policy Studies, Queen's University Kingston, Ontario, Canada, K7L-3N6 (613)545-6000x4219 [EMAIL PROTECTED] PGP Fingerprint = 09 E9 DA 66 9C EE 33 DC B8 3B 97 0E 01 BC EC 0B PGP Public Key at URL:http://terrapin.econ.queensu.ca -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBM4oetRhhzOJJktw1AQG9lwP/fSV1cdDundY2CsU6m+aZAQeWceKclcZX fz9BqwTRWj3as8JqHF2Ay9XfqmAaqDvQ4oNdI1f9tD/Hi3gjYKup/6J4D7UO7Zuz qDKV79dcY9CeCQ/vjhiU/4GFhKi8Cdx9xpAwyqfQ9Bz7Y2lKuNGB7WYqd5yT6BCZ Kxh47lv+Row= =x+cB -END PGP SIGNATURE- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: root user and nfs mounts
-- Start of PGP signed section.
Currently I mount my home directory from a departmental AIX machine using
the following exports on the AIX machine:
/home3/telmerco -access=sargan:terrapin
and the following fstab on my debian hamm machine:
qed:/home3/telmerco /home/telmerco/qed nfs defaults 0 0
Given this setup, as root I cannot cd into /home/telmerco/qed.
[why root would like to cd anyway deleted]
I dug through
the man pages for nfs(5) and mount(8) and it seems like I could use
something that maps root uid 0 to an anon uid that I specify, for example,
208 (telmerco's uid). Is this possible?
Well, it isn't what you want. The mapping of uid 0 happens on the server
(the AIX in your case), and, as root cannot cd to your home dir, they've
already got that setup correctly [1]. What happens is that when root
cd's to your nfs mounted home dir, root gets maped to uid nobody, and
nobody tries to cd into that dir.
The only way I see you can allow root (thus nobody, unless you can
convince the AIX people to throw away all security on their
system) to cd into your home dir, is by chmod-ing your home dir to
something like 777. But then _everybody_ can do that -- probably not
what you want.
I'm not sure how tob works, but if it works anything like dd of=/dev/tape,
you could try something like
(su telmerco -c tar -cvzf - /home3/telmerco) | dd of=/dev/tape
Is it safe?
As long as the AIX people do their job properly, you cannot do anything
unsafe. And you cannot do what you want, I think.
And finally, is there
a better way to do it? Cheers, Colin.
Depends on tob. (see above).
[1] had they not done that, you'd be root very quickly on that system,
probably.
--
joost witteveen, [EMAIL PROTECTED]
#!/bin/perl -sp0777iX+d*lMLa^*lN%0]dsXx++lMlN/dsM0j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$kSK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
