Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 431666

Summary: [security] NFS mounts should be root squashed for hipp servers
Product: Community Reporter: Denis Roy <denis.roy>
Component: CI-JenkinsAssignee: CI Admin Inbox <ci.admin-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: contact, thanh.ha, webmaster
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on:    
Bug Blocks: 375350    

Description Denis Roy CLA 2014-03-31 15:48:51 EDT 
Inspired by bug 375350:

One thing we should do is root_squash the NFS mounts.  If you're root on a hipp machine, you should have no special access to the mounted filesystems.  That will also prevent/reduce the amount of config and secrets that a compromised hipp server root can access.
Comment 1 Denis Roy CLA 2014-04-21 15:52:23 EDT 
exportfs now has entries like this:

export_point  hipp_subnet(options) \
              private_subnet(options)

... hipp_subnet is a /24 within the private /16 but since it's listed first, it gets the restrictive permissions.

We'll need to (eventually) either reboot the hipp machines, or forcibly umount/mount everything for this to take effect.
Comment 2 Denis Roy CLA 2014-04-22 08:53:16 EDT 
Success.

root@hipp3:/shared # touch me
touch: cannot touch `me': Permission denied