woody: nfs and access control (esp. inetd.conf): howto?

To: debian-user@lists.debian.org
Subject: woody: nfs and access control (esp. inetd.conf): howto?
From: Mario Vukelic <mario.vukelic@chello.at>
Date: 08 Apr 2001 10:33:26 +0200
Message-id: <[🔎] 986718806.596.9.camel@sonic>

Hi!

Standard info: I have looked through all docs I could find (new
nfs-HOWTO on http://nfs.sourceforge.net/ (needs to be put into woody,
BTW, the currently included one doesn't deal with new nfs-utils and
mountd, lockd, statd lines in hosts.allow/deny), /usr/share/doc/portmap,
list archives, man update-inetd (which I don't seem to understand at
all)), but still, yadda yadda.I run woody with kernel 2.4.2 with
kernel-server (v3 also enabled)

I have kernel-server support on the server, no firewall on the internal
interface, I don't run NIS. NFS works, but I'm quite unsure if I did it
right: I couldn't figure out from the docs how to set access control
correctly.My external interface is firewalled anyway, but still I want
to have more than one security level, and I want to learn. Here's what I
have found out and done:

User has the same UID/GID on client and server. /etc/exports on server
and /etc/fstab on client are OK.
The server's /etc/inetd.conf I haven't changed for nfs. It has no
entries for nfs, just:
#:RPC: RPC based services

/usr/share/doc/portmap/README.gz and the new HOWTO tell me to set in
/etc/hosts.allow:
portmap: my.sub.net.number/my.sub.net.mask
mountd: my.sub.net.number/my.sub.net.mask
lockd: my.sub.net.number/my.sub.net.mask
statd: my.sub.net.number/my.sub.net.mask

which I have done (I deny ALL:ALL in hosts.deny). 

On the server I have running:
portmap, rpc.statd, inetd, [nfsd], [lockd], [rpciod], rpc.mountd
On the client there is running (when nfs dirs are mounted): portmap,
rpc.statd, [lockd], [rpciod]

But a tcpdchk on the server tells me:
"warning: /etc/hosts.allow, line 14: portmap: service possibly not
wrapped
warning: /etc/hosts.allow, line 15: mountd: no such process name in
/etc/inetd.conf
warning: /etc/hosts.allow, line 16: lockd: no such process name in
/etc/inetd.conf
warning: /etc/hosts.allow, line 17: statd: no such process name in
/etc/inetd.conf"

Yeah, they aren't. but why? how? should I? This isn't described anywhere
I looked. This makes me feel very insecure 

Questions:
Do I have the right stuff running on server and client (I guess so)?
What goes in inetd.conf if anything? If not, and you are patient, would
you please care to explain it to me? Are the portmap, mountd, statd and
lockd in debian built to honor hosts.allow/deny, but still standalone
(libwrap or something)?


Thanks for your time, M


-- 

I did not vote for the Austrian government

Reply to:

Prev by Date: Re: Mobile Computers
Next by Date: Trouble with wacom and xfree86-4
Previous by thread: Re: Mozilla/WindowMaker: autorise on page load
Next by thread: Trouble with wacom and xfree86-4
Index(es):
- Date
- Thread