Re: block root access to NFS mount

Mark Haney wrote:
Jeff Vian wrote:

On Mon, 2006-09-11 at 14:28 -0400, Mark Haney wrote:


Okay, here's a problem I'm running in to. I have an NFS server that is controlled via NIS for which hosts access the NFS mounts. I need to give root access to an NFS client host machine, but /not/ the NFS mounts. Is there any way at all to control this, other than making the NFS mounts read only?

(Yeah I know it's a strange question, but time is pressing and I don't have enough of it to google.) Any help would be appreciated.



By default NFS maps root to nobody. Only if the no_root_squash option
is used when exported does root from the client have root privileges on
the nfs filesystem.

Often this also means that root may not even access the nfs filesystem
at all.

HTH
"man exports" will give more info, specifically in in the User ID
Mapping section.

Let me see if I understand you, if I don't have 'no_root_squash' in my /etc/exports file for a particular NFS share, then if I am root on the /client/ I cannot access that NFS mount? If so, that's exactly what I"m looking for.


Yes, but as Jeff pointed out, it doesn't buy you anything.

As root on the client they can access any file on the exported filesystem which a "mortal" user can access. The simple rule is, don't export to a client unless you have administrative control.

In a more complex environment you might create different filesystems with home directories for each group of users. Then export each filesystem of users home directories to clients as required. You would only export home directories to a client for the users who are supposed to be administered by the root user of the client in question.

If you export a filesystem to another administrative domain the only part of the filesystem which you can effectively control are files owned by root.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@xxxxxxxxxxxx
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • NFS has a problem
    ... filesystem will get stuck in state D the next time they try to access ... Hmmm, the servers are running Debian stable, and have been providing NFS ... I stop and restart the nfs services on the server side, but client ...
    (comp.os.linux.misc)
  • Re: NFS has a problem
    ... that filesystem barfs, all the processes on N that were using that filesystem will get stuck in state D the next time they try to access that filesystem. ... Hmmm, the servers are running Debian stable, and have been providing NFS services for several years now, and have been working fine with Debian stable clients. ... The Gentoo machine is a new development on the network, with the NFS client becoming operational at the beginning of this year. ... I stop and restart the nfs services on the server side, but client processes remain in state D on the Gentoo machine. ...
    (comp.os.linux.misc)
  • Re: [PATCH] [Request for inclusion] Filesystem in Userspace
    ... since then all the dirty pages belonging to the filesystem will ... They're still mapped into other processes, still dirty. ... NFS with a network failure has the same problem. ... NFS server on the same machine as the client" has. ...
    (Linux-Kernel)
  • Re: Samba vs NFS
    ... >>security information about NFS or samba that you may have. ... > server you specify what computers are allowed to use the server, ... This is only true if you tell the NFS server to map the root user ... on the client to the root user on the server. ...
    (Focus-Linux)
  • Re: root cant write to NFS mounted directory
    ... but root on the NFS client can't. ... > configuration issue on the NFS server, as it previously worked fine, ... > What setting on the client allows root to write to NFS mounted directories? ...
    (freebsd-questions)