NFS export - giving a computer access to root-owned files?

SirSefu · 10-08-2009, 01:09 AM

Yes, I know this is not a good practice, and this is only a short-term solution.

I have a server with a web-file-server daemon running internally as root, so the permissions for all files it transfers/creates have a uid/gid of 0:0.

This is fine for the daemon, but I would like to manage those files from another workstation - actually a few workstations on a very limited LAN subnet - through NFS. How would it be possible to have users from a certain subnet mount NFS with root read/write abilities?

I have seen the anonuid/anongid options (for the /etc/exports file), but I'm not so sure this is the right way to go.

madmadmod · 10-08-2009, 02:58 AM

Hi

I think what you want to do is something like:

/etc/exports (Webserver)

Code:

/myapplication     x.x.x.x(rw,no_root_squash)

And if you want to give the usrs on the other server the permissions to mount that filesystem, I would use sudo.

SirSefu · 10-08-2009, 04:36 AM

Hello,

Thanks for your reply - what you're showing is a rather normal NFS export, but I'd rather that the client machines mount directories without having to sudo - only I know the password.

chrism01 · 10-08-2009, 09:08 PM

root_squash or no_root_squash, the files are still owned by root.
I think what you need (if you don't want the clients to use sudo to become root) is to open up the 'other'/3rd set of file perms eg

rw-rw----

becomes

rw-rw-rw-

madmadmod · 10-09-2009, 02:21 AM

ok, i think i still dont understand what you want to do ;-)

I understand now the following:

- user should be able to mount the nfs exports without sudo or switching to root first. --> can be done with autofs

- files owned by root on the remote server should be readable and writable by "normal" users from via the mounted filesystem? --> hmm... you could use samba and then use the "force user = root" option.

Quote:

force user (S)
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this
service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause
security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid
user and supply a valid password. Once connected, all file operations will be performed as the "forced user",
no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the
primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the
connecting user (this was a bug).

archtoad6 · 11-07-2009, 10:24 AM

Warning: I don't use NFS, so I don't know what complications it might add to the following suggestion:

Change the group ownership of the files, & add the authorized uses to the new ownership group.