Hello,
imagine you are in an environment where you have absolute control about who can become root on the system (maybe an HPC
or a k8s cluster).
You are using NFSv3 to mount shares on your clients, using the classical AUTH_SYS security flavor (host based security).
NFSv3 exports on OneFS are secure, meaning mounts requests will only be honored is the origin source port is privileged:
inferior to 1024 so that only root (or executable with the adequate CAP_*linux capability) can perform the initial
mount. It is not kerberos, but works perfectly fine in an environment where you control who has root privileges.
Now imagine that you want to taste some NFSv4 because of reasons (pseudofs, delegation, firewall friendly with only port
2049 to handle...). You enable NFSv4 cluster wide on OneFS and you change vers=3 for vers=4 in your fstab. You keep the
same security flavor, no kerberos involved. You see some nice improvements (or not), or you're happy with the pseudofs
feature with a single mountpoint on the client.
The problem with this setup is that the "secure" export aspect (only root or privileged user can interact with the nfs
server) is not honored. This means that anyone can use a nfs userland client implementation like libnfs (or use an ssh
tunnel) to impersonate any user and access any files from any exported shares (think homes directories on an HPC submit
nodes for example, and projects directories).
So far, the answer has been: use kerberos. I understand why they are saying that, but in that case, they should prohibit
by default the use of NFSv4 with AUTH_SYS security flavor. I think answering using kerberos in this use case is the
wrong answer to the problem. It can take sysadmins by surprise. For us, it means disabling NFSv4 system-wide or
implement stupid firewall rules on each clients.
What do you think ? Are you in this use case ? If you already contacted the support about it, what was the answer ?
========
Here is an exemple on how to reproduce the behavior:
## install some nfs userspace utility (libnfs-utils on RHEL/Debian for example)
$ sudo yum install libnfs-utils
OR
$ git clone
https://github.com/sahlberg/libnfs
$ cd libnfs
$ cmake -DENABLE_UTILS=yes .
$ make
Resulting utils binaries are in utils directory.
Try to access a file created by 'bob' (uid is 1234) using 'nfs-cat' under another account by leveraging uid
impersonification. The filesystem can be NOT mounted via fstab, everything is happening in userspace.
$ nfs-cat "nfs://ifs/homes/bob/.ssh/id_rsa?uid=1234&version=4"
42
You can also imagine use the mount command from a system where you've got mount privileges using an ssh tunnel to the
node that have exported shares to it :
remote $ ssh -LN 2049:your_nfs_server:2049 remote_server
From another shell :
remote $ sudo mount -t nfs vers=4 localhost:/ifs/homes /mnt
Create a local user with the 'bob' uid and you can access its home directory, directly from your local machine.
========
Jean-Baptiste