Question about NFS and /etc/hosts.{allow,deny}

bonixavier · 05-13-2011, 10:46 PM

Hello!

As I recently bought a netbook, I decided to turn my desktop into a home server to let all my roommates have access to music and movies over the network. I've just started the setup of the server. Then, I came across a problem

Following the instructions regarding NFS from here and the man page of hosts.deny from here (why don't we have that man page?), I created something like this:

/etc/exports

Code:

/home/username my_ip_address(rw)
/home/videos my_ip_address(rw)
/home/music my_ip_address(rw)

(Although they're all mounted under /home, those are three separate partitions).

/etc/hosts.deny

Code:

ALL:ALL

/etc/hosts.allow

Code:

ALL:my_ip_address

I restarted /etc/rc.d/rc.rpc and created a mount point for it in Dolphin. When I got there, I learned that I was not only able to browse through the directories I allowed access to, but to _all_ of the directories under /home.

Why did that happen? I assume that is because my /etc/hosts.allow is too permissive. Is my only alternative to set an allow rule in a per-daemon basis? I can easily test that. All I have to do is create a dummy user in both systems and change my ip address in the client side.

What do you guys have on those files?

slac-in-the-box · 05-13-2011, 11:36 PM

Well, as far as I can tell, so far you have not allowed any access for your roommates... only access for yourself...

If you do not have a dns server on your home LAN, then what you should do is set up /etc/hosts to identify all the hosts and their corresponding ip addresses in your LAN; then you can allow access in /etc/exports based on host names... however ip addresses work as well...

but in your /etc/exports file, you have a line like

Code:

/home/videos my_ip_address(rw)

this only allows access to /home/videos to your ip address, and I'm guessing you already have access to your own system, and thus you can read and write to everything, and not just the directories you wish to export...

my /etc/exports has a line like so:

Code:

/home/slacinthebox/flix *(rw,no_subtree_check)

the above line lets all hosts access my "flix" directory, regardless of hostname and ip address... but I could replace the "*" with a specific host name or ip address if I wanted to be more restrictive...

likewise, in /etc/hosts.allow, you only allowed your own ip address. If you were to substitute your roommates' ip addresses or host names, then you would be up and running

bonixavier · 05-14-2011, 09:19 AM

Quote:

Originally Posted by slac-in-the-box

Well, as far as I can tell, so far you have not allowed any access for your roommates... only access for yourself...

Thank you very much for your reply, slac-in-the-box. About only granting access for myself: this computer will become headless. I needed remote access to manage its files. As I'm the only one running Linux in the apartment, I thought I'd be the only one able to mount NFS. My plan is to set Samba shares for everyone else.

Quote:

If you do not have a dns server on your home LAN, then what you should do is set up /etc/hosts to identify all the hosts and their corresponding ip addresses in your LAN; then you can allow access in /etc/exports based on host names... however ip addresses work as well...

As far as I can tell, /etc/hosts will only work if the machines have static IPs. Did I understand it correctly?

Something I still don't get is why I was able to browse through /home/ftp, for example, from my netbook when I didn't grant access to it in the other files.

slac-in-the-box · 05-14-2011, 11:22 AM

Code:

As far as I can tell, /etc/hosts will only work if the machines have static IPs. Did I understand it correctly?

Absolutely correct. I have statics assigned in my LAN, but that won't apply in your case...

So your desktop, running headless, will be a NFS server for your netbook, and a Samba share server, for your roommates...

I abandoned windows so long ago, that I will be useless for helping with SAMBA...

However, now I understand that when you wrote "my_ip_address" you were referring to the address of your netbook and not of your desktop/server... I had misunderstood the first time, and thought you were putting in the desktop/server's ip_address there...

So, now I see... why can you browse /home/ftp when it is not specified in your exports file...

What happens if, from your netbook, you try

Code:

showmount -e nfs_servers_ip_address

?

I have xfce wm, so am not very familiar with Dolphin, but when I mount my nfs share, For temporary mounts (like at friends NFS server) I use mount command:

Code:

mount -t nfs nfs_servers_ip:/path_to_share /local_mount_point

And for permanent mounts (like at home, or office), I set up mount in fstab.

Intriguing... let's get to the bottom of it...

Richard Cranium · 05-14-2011, 08:07 PM

Dolphin allows you to "mount" a remote directory via ssh. Perhaps you should use that instead.

allend · 05-14-2011, 11:15 PM

Quote:

Dolphin allows you to "mount" a remote directory via ssh. Perhaps you should use that instead.

That will certainly work and provide more security, but it does introduce a significant overhead. NFS is much faster.

Richard Cranium · 05-16-2011, 01:32 AM

I guess that it depends how much remote file management the OP intends to do.

bonixavier · 05-20-2011, 07:39 PM

Just a quick update: I accidentally dropped beer on my netbook's keyboard so I left it off for a week to avoid short circuits and I didn't have any way to test any of the suggestions (no clients available). I'll check them tonight and will report back during the weekend. Thanks everyone who's been helping me.