Now we have to re-configure server-03
to export the NFS root directory (/export
), user files and directories (/export/home
) and the directory “scratch ” (/export/scratch
) safely, under specific security controls . To do this, perform the following tasks:
Host level security:
Configure NFSV4 on server-03
to export only to the LOCAL virtual instance frontend
(10.128.0.100). That is, only that host within this network will be able to access (mount to ) the file systems exported by server-03
.
User level security:
On client hosts, force NFS to distinguish "root " from NFS server “root”, considering it as nobody user. This is very useful when exporting directories to "unreliable" client computers.
Similarly, force all users of NFS client hosts with UIDs between 20000 and 20100 to be limited in their anonymous user access permissions.
File level security:
Add ACL support for /export/home/
. Build an access list (ACL) for the exported home directory of user2
:
For the owner, FULL Control
For the owner's group, accesses "Rxtcy"
For all other users, accesses "Rxtcy"
For “user1", allow FULL access
Remember that NFSv4 ACL system is only available from nfs client side, through local directory.
More details in [4] [5]
Size (growing) control for the NFS file systems, using a users/groups quota system.
Configure your server so that you can make use of a quota system in the NFS exported file system /export/home
:
A limit of 100 MB will be established for each user (soft limit ).
If the user exceeds this limit, it will have 5 days to remove content until the account is blocked.
Under no circumstances will any user be able to exceed the 120 MB of space in his $HOME
(hard limit ).
Last updated 2 months ago