Linux file permission over a network

leupi · 07-11-2011, 05:04 PM

I'm trying to wrap my head around how Linux file permission work over a network but I just seem to get more and more confused. I set up a fileserver with Ubuntu 10.04 Server (no GUI) and I want to share files with a few Linux desktops and laptops around the house with various users. Here is a scenario that confuses me.

I have a user on the server, jondoe, and there is a folder on the server, jon_folder, that I only want Jon to be able to see. Jon has a laptop and on that laptop he logs into Linux with the username jdoe and perhaps on a desktop he logs in as jon. Do I need to have all of those logins in the server, jdoa and jon (including the jondoa that I already have on the server)?

I have a very similar issue here. I created an account for my wife on the server as lneuman and have a folder called /data/linda. This folder is owned by user lneuman and group lneuman. She created an account on a desktop with the login linda (the passwords on the server and the desktop happen to be the same). I exported the directory as such:

Code:

/data/linda    *(rw,sync)

Then:

Code:

chmod 775 /data/linda

And on her desktop added this to /etc/fstab:

Code:

servername:/data/linda   /home/linda   nfs   defaults   0   0

Now when she logs in as linda on the desktop she can see and modify files that are in /data/linda on the server. That's great but I don't understand how this happened.

Where are the two accounts linked? There is a lneuman on the server and a linda on the desktop, they are the same human behind them, but I don't see how the linda account should have access to the /data/linda on the server that is owned my lneuman.

I then logged in under my account, todd, and modified /etc/fstab to mount /data/linda (on the server) to a new folder that I created on the desktop called /linda that is owned my user todd. I ran mount -a and it mounted and I was able to write to /data/linda. I have no idea why. What is allowing these users to write to that directory? I even changed the permissions on the server for /data/linda to 770 and from the desktop user todd was still able to write to /data/linda.

Hope that this was not all too rambling. I'm obviously missing something very important here. Thanks for any help

kbp · 07-11-2011, 10:01 PM

Quote:

Where are the two accounts linked?

.. they're not, linux doesn't care what name you use only what the uid is. If I create a file on the NFS server and change ownership to say george (uid=501) then on the client I log in as gforeman (uid=501), I'm effectively the same user if I access that shared filesystem. These sort of problems (uid/gid mismatches) are why we have centralised authentication mechanisms like ldap and kerberos.

As far as being able to write to the NFS share as a different user, maybe the todd and linda accounts are members of the same group ?

leupi · 07-12-2011, 07:02 AM

Thanks for the response. I do not believe that they are members of any common group but I will verify that when I get home.

So if I have user jdoe (uid=1000) on the server and user jon (uid=1000) on a laptop and user jon_doe (uid=1000) on a desktop then the server will look at them as the same user and will give permissions accordingly? If so, then with only five users in the house that may be the way to go. I've never set up ldap or kerberos, I'll look into the process.

Thanks again for your response.

leupi · 07-12-2011, 04:58 PM

Wife is on the computer so I can't get in there and verify UIDs

Question though. If I do create a user on the server, jdoe (uid=1000) and a user on a laptop, jon (uid=1000) and have a file on the server that is owned by jdoe with permissions of 700 can someone logged into the laptop as jon see that file? Is there no password verification needed? In other words, could someone just create any account on a networked computer and see any file that is owned by a user on the server that happens to have the same uid?

kbp · 07-12-2011, 10:35 PM

Correct... but you can secure the export in many ways, please see 'man exports' for examples.

leupi · 07-13-2011, 08:36 AM

It seems that I can only restrict by hostname or IP address. There are five of us in the house and we pretty much bounce between computers, we just have separate logins so any one of us could be logged into any computer at any time.

Since it's just my wife and kids they are all Linux end users (no real knowledge of the nuts and bolts) and there is really nothing truly confidential on the server I'll do my best to coordinate usernames/uids and leave it at that for now. I might look into ldap and see how involved that is; could be a nice learning experience anyway.

Thanks for the advice

kbp · 07-13-2011, 07:06 PM

I seem to recommend this a lot but have a look at using autofs to mount user home directories from the server, the default permissions should prevent anyone from seeing your data. Setting up an LDAP server from scratch needs a little experience, I'd suggest looking at FreeIPA as it basically does all the grunt work for you - but it depends on what level of learning you're after.