home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
-
-
-
-
-
-
- The LINUX User-Space NFS Server(1)
-
- Version 2.2
-
-
-
- December 21, 1995
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ____________________
-
- 1. This is a rewrite of the original README file (which you
- can now find in README.HISTORIC).
-
-
-
-
-
-
-
- - 1 -
-
-
-
- 1. Overview
-
- This package contains all necessary programs to make your
- Linux machine act as an NFS server, being an NFS daemon
- (rpc.nfsd), a mount daemon (rpc.mountd), optionally, the uid
- mapping daemon (rpc.ugidd), and the showmount utility. It
- was originally developed by Mark Shand, and further enhanced
- by Donald Becker, Rick Sladkey, Orest Zborowski, Fred van
- Kempen, and Olaf Kirch.
-
- Unlike other NFS daemons, the Linux nfsd runs entirely in
- user space. This makes it a tad slower than other NFS
- implementations, and also makes it hard to support a couple
- of UNIX file system features supported by other nfsd imple-
- mentations, especially several concurrent server processes.
-
-
- 2. Building and installing unfsd
-
- To compile and install the programs in this package, you
- first have to run the BUILD script. It will ask you a couple
- of questions about your preferred configuration. It tries to
- be helpful by informing you about why it asking you which
- question, but a brief overview may be useful nevertheless:
-
- uid/gid mapping: Occasionally, you will want to serve NFS
- clients whose assignment of uids and gids to user names
- differs from that on the client. The unfsd package
- offers you a mechanism to dynamically map the client's
- uid space to that of the server, and vice versa. This
- is achieved by running the rpc.ugidd daemon on the
- client machine, and instructing the server machine to
- use it to map the client's credentials presented to the
- server in an NFS call, and remap file owner information
- in all NFS replies.
-
- While this is convenient, it also presents a security
- problem because rpc.ugidd can be abused by attackers to
- obtain a list of valid user names for the client
- machine. This can be helped somewhat by making ugidd
- check the requester's IP address against the
- hosts.allow and hosts.deny files also used by the tcpd
- wrapper program.
-
- Therefore, the BUILD script asks you about whether you
- want to use ugidd at all, and if you do, whether you
- wish to protect it using the host access control files.
- Note that you still have to configure access control as
- described below.
-
- If you do enable host access checking for rpc.ugidd,
- the BUILD script will try to locate libwrap.a which is
- needed for this. This library is part of Wietse Ven-
- ema's TCP wrapper package. BUILD looks in several
-
-
-
-
-
-
-
-
- - 2 -
-
-
-
- standard locations such as /usr/lib. If it does not
- find the library (e.g. because you keep it in weird
- places like /usr/i486-linux/lib), it will ask you for
- its full path name.
-
- If you disable ugidd support, the daemon will not be
- compiled, and the manpage will not be installed.
-
- file access control: For security reasons, mountd and nfsd
- make sure that vital files such as /etc/exports are
- owned by the correct user and have an appropriate
- access mode. BUILD will ask you which user and group
- should own exports. By default, this will be
- root/root.
-
- mount request logging: If you enable this option, rpc.mountd
- will log all attempts to mount a directory via NFS from
- your server machine. This is very helpful in monitoring
- NFS server usage, and for catching attempts at attcking
- your machine via NFS.
-
- When enabled, mountd will log all successful mount
- attempts to syslog's daemon facility at level notice.
- Failed mount attempts are logged at level warning.
-
- After completing these questions, BUILD will run a configure
- script to detect certain system capabilities. This will take
- a while on your first attempt. Repeated invocations of con-
- figure will run a lot faster because the results of the
- tests are cached. If you want to start out with a fresh
- build on a different release of Linux, you should make sure
- to get rid of these cached values by running `make dist-
- clean' first.
-
- You can then compile and install nfsd by typing `make'
- and/or (as root) `make install.' This will also install the
- manual pages.
-
-
- 3. Configuring nfsd
-
- To turn your Linux box into an NFS server, you have to start
- the following programs from /etc/rc.d/rc.inet2 (or wherever
- your favorite Linux distribution starts network daemons
- from):
-
- * rpc.portmap
-
- * rpc.mountd
-
- * rpc.nfsd
-
- * rpc.ugidd (optional)
-
-
-
-
-
-
-
-
-
- - 3 -
-
-
-
- * rpc.pcnfsd (optional, not contained in this package)
-
- To make directories available to NFS clients, you have to
- enter them in your exports file along with the hosts allowed
- to mount them. The list of options and a sample file are
- given in the exports(5) manual page (and the whole topic is
- covered quite extensively in the Linux Network Administra-
- tor's Guide anyway), so I will not discuss this here. If
- somebody feels like filling in the missing parts here,
- please send me the diffs.
-
-
- 4. Configuring rpc.ugidd access control
-
- To protect rpc.ugidd from unauthorized access, you just have
- to add lines to /etc/hosts.allow and/or /etc/hosts.deny
- detailing which NFS servers that are allowed to access it.
- If your NFS server has the IP address 193.175.30.33, you
- would add the following to hosts.allow:
-
- # Allow ugidd access only to NFS server
- ugidd: 193.175.30.33
-
-
- 5. Common Problems (a.k.a. Dependencies)
-
- * Root squashing is enabled by default, which means that
- requests from the root user are treated as if they
- originated from the nobody user. If you want root on
- the NFS client to be able to access files with full
- prvilege, you have to add no_root_squash to the option
- list in /etc/exports.
-
- * The most specific entry applies. This means if you
- export both /usr and /usr/local to a client, and the
- client mounts /usr from the server, the options for
- /usr/local will still apply when the client accesses
-
- * Wildcards in client names only do not match dots. This
- means that the entry *.foo.com only matches hosts named
- joe.foo.com etc, but not joe.sales.foo.com. You may
- call this a bug (and I may replace the current pattern
- matching code with wildmat if there is enough demand).
-
- * Changes to the exports file do not take effect until
- both nfsd and mountd have re-read the file. You either
- have to kill both daemons and restart them, or send
- them a HUP signal:
-
- # killall -HUP rpc.mountd rpc.nfsd
-
- * NFS operation between two Linux boxes can be quite
- slow. There are a number of reasons for this, only one
- of which is that unfsd runs in user space. Another
-
-
-
-
-
-
-
-
- - 4 -
-
-
-
- (and much worse) problem is that the Linux NFS client
- code currently does no proper caching, read-ahead and
- write-behind of NFS data. This problem can be helped
- by increasing the RPC transfer size on the client by
- adding the `rsize=8192,wsize=8192' mount options. This
- will at least improve throughput when reading or writ-
- ing large files. You are still in a lose-lose situation
- when applications write data line by line or with no
- output buffering at all.
-
-
- 6. Copyright
-
- Much of the code in this package was originally written by
- Mark Shand, and is placed under the following copyright:
-
- This software may be used for any purpose provided
- the above copyright notice is retained. It is sup-
- plied as is, with no warranties expressed or
- implied.
-
- Other code, especially that written by Rick Sladkey and some
- replacement routines included from the GNU libc, are covered
- by the GNU General Public License, version 2, or (at your
- option) any later version.
-
-
- 7. Bug Reports
-
- If you think you have encountered a bug in nfsd or any of
- the other programs in this package, please follow the
- instructions in the file BUGS.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
