Lustre discuss - Apr 2008 - root rights and permissions

Dear all,

I''m a new lustre user.
I''d search for some documentation about the root permissions in Lustre
without results. My answer is: how can reduce root permissions on a
lustre client?

Using NFS I have no_root_squash option, but under Lustre I don''t find
anything similar to that.

If a normal user connect it''s laptop with linux on my network, and
mount the lustre filesystem, his root user can remove everything in my
lustre fs. Is it right or I''m wronging something in the installation?

Thanks in advance

-- 
-------------------------------------------------------------------
       (o_
(o_    //\  Coltivate Linux che tanto Windows si pianta da solo.
(/)_   V_/_
+------------------------------------------------------------------+
|     ENRICO MORELLI         |  email: morelli at CERM.UNIFI.IT       |
| *     *       *       *    |  phone: +39 055 4574269             |
|  University of Florence    |  fax  : +39 055 4574253             |
|  CERM - via Sacconi, 6 -  50019 Sesto Fiorentino (FI) - ITALY    |
+------------------------------------------------------------------+

On Mon, Apr 21, 2008 at 03:21:34PM +0200, Enrico Morelli
wrote:
> I''m a new lustre user.
> I''d search for some documentation about the root permissions in
Lustre
> without results. My answer is: how can reduce root permissions on a
> lustre client?
> 
> Using NFS I have no_root_squash option, but under Lustre I don''t
find
> anything similar to that.
FYI, the root squash functionality will be available in 1.6.5 (see bug 12749).

Cheers,
Johann

On Mon, 21 Apr 2008 15:47:18 +0200
Johann Lombardi <johann at Sun.COM> wrote:
> On Mon, Apr 21, 2008 at 03:21:34PM +0200, Enrico Morelli wrote:
> > I''m a new lustre user.
> > I''d search for some documentation about the root permissions
in
> > Lustre without results. My answer is: how can reduce root
> > permissions on a lustre client?
> > 
> > Using NFS I have no_root_squash option, but under Lustre I
don''t
> > find anything similar to that.
> 
> FYI, the root squash functionality will be available in 1.6.5 (see
> bug 12749).
> 
> Cheers,
> Johann
Thanks for the answer. So for the moment I hope that no one using Linux
trying to become a lustre client.

Are there other solutions?

-- 
-------------------------------------------------------------------
       (o_
(o_    //\  Coltivate Linux che tanto Windows si pianta da solo.
(/)_   V_/_
+------------------------------------------------------------------+
|     ENRICO MORELLI         |  email: morelli at CERM.UNIFI.IT       |
| *     *       *       *    |  phone: +39 055 4574269             |
|  University of Florence    |  fax  : +39 055 4574253             |
|  CERM - via Sacconi, 6 -  50019 Sesto Fiorentino (FI) - ITALY    |
+------------------------------------------------------------------+

Enrico Morelli wrote:
> On Mon, 21 Apr 2008 15:47:18 +0200
> Johann Lombardi <johann at Sun.COM> wrote:
> 
>> On Mon, Apr 21, 2008 at 03:21:34PM +0200, Enrico Morelli wrote:
>>> I''m a new lustre user.
>>> I''d search for some documentation about the root
permissions in
>>> Lustre without results. My answer is: how can reduce root
>>> permissions on a lustre client?
>>>
>>> Using NFS I have no_root_squash option, but under Lustre I
don''t
>>> find anything similar to that.
>> FYI, the root squash functionality will be available in 1.6.5 (see
>> bug 12749).
>>
>> Cheers,
>> Johann
> 
> Thanks for the answer. So for the moment I hope that no one using Linux
> trying to become a lustre client.
> 
> Are there other solutions?
Even if root_squash is used, an end user with root access to a system 
can just su - to any uid and copy/delete/modify files at will as the 
actual user.

For now I''d focus more on limiting what hosts may mount your lustre 
filesystem and who has privileges on those end hosts.  This can be done 
through iptables/router ACLs at the network layer and pam/sudo at the 
host layer.

In the future, I believe Sun is moving towards Kerberos as a method for 
solving some of these problems.

-- 
| David Vasil <dmvasil at ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-D219  Phone: (865)241-5562

On Apr 21, 2008, at 7:17 AM, Enrico Morelli wrote:
> On Mon, 21 Apr 2008 15:47:18 +0200
> Johann Lombardi <johann at Sun.COM> wrote:
>
>> On Mon, Apr 21, 2008 at 03:21:34PM +0200, Enrico Morelli wrote:
>>> I''m a new lustre user.
>>> I''d search for some documentation about the root
permissions in
>>> Lustre without results. My answer is: how can reduce root
>>> permissions on a lustre client?
>>>
>>> Using NFS I have no_root_squash option, but under Lustre I
don''t
>>> find anything similar to that.
>>
>> FYI, the root squash functionality will be available in 1.6.5 (see
>> bug 12749).
>>
>> Cheers,
>> Johann
>
> Thanks for the answer. So for the moment I hope that no one using  
> Linux
> trying to become a lustre client.
>
> Are there other solutions?
>
We use iptables to prevent unknown IP addrs from connecting to the  
lustre servers:

*filter
-A INPUT -p tcp -i eth1 --tcp-flags SYN SYN --source ! 172.10.0.0/16 - 
j REJECT
-A INPUT -p tcp -i eth2 --tcp-flags SYN SYN --source ! 172.10.0.0/16 - 
j REJECT
COMMIT

Replace eth1/eth2 with your lustre networks, and 172.10.0.0/16 with  
an appropriate network string.  If you don''t have a dedicated lustre  
network, then you may need to change these rules.  Lustre accepts  
connections on port 988, so if you are mounting lustre over a common  
network, you may just want to create rules that restrict access to  
port 988 only.

-Marc

----
D. Marc Stearman
LC Lustre Administration Lead
marc at llnl.gov
925.423.9670
Pager: 1.888.203.0641