Limit folder access in NFS

Min Donner · 08-19-2004, 03:57 PM

SUSe 9.0 Pro. Seriouse Newbie.

I want to setup NFS but I do not want everyone to access all the folders on the server. For instance, only some should be able to access the MIS folder, others the R&D folder. With Netware, I just create groups and assign folder rights to the group. How do I accomplish the same thing with NFS?

idaho · 08-20-2004, 01:00 AM

You might want to take a look at this document:
http://www.linuxquestions.org/questi...ticle&artid=20

Min Donner · 08-20-2004, 07:40 AM

I understand file permissions, but how does this apply to the server side? In Netware, the users ID is passed to the server at login. How does the Linux server know who is trying to access the folder?

dcostakos · 08-20-2004, 10:43 AM

NFS assumes that the UID of the user accessing the file on the client is the UID. So, if I'm a user on both systems and I have UID 500 on both the server and the client, everything is fine. But if I have differing UIDs, problems can occur.

Min Donner · 08-20-2004, 11:07 AM

So I need to create a user on the server wih the same name as the user on the client? If the UID is different, I assume that needs to be changed. Does not sound like a very efficent way to run a server.

If i have three people starting the same day, their UIDs on their client will not match the UIDs on the server.

dcostakos · 08-20-2004, 11:35 AM

I agree with your frustration and I feel it too. More than that, NFS can be a security risk. An evil adminstrator with root privileges on a client that mounts your NFS shares can assume any UID on the client and create or modify files as that UID on the server. So, there are plenty things to think about above and beyond file and directory permissions.

I don't know what all your requirements are here, but I wonder if SAMBA is a better option for you? I have also done some experimenting with "shfs" (http://shfs.sourceforge.net/) -- though I don't really have enough experience with it yet to make informed comments or recommendations. I'd love to hear them if someone out there has some.

idaho · 08-20-2004, 01:40 PM

You generally want to have centralized authentication (e.g., NIS) if you have centralized file serving.

dcostakos is correct about the dangers poised by an evil user who gets local root privileges. One possible approach is to export your sensitive directories only to specific clients.

Min Donner · 08-20-2004, 01:54 PM

Honestly, my only requirment is to increase my skill set. I am trying to learn how this stuff works to make me more marketable. I suppose SAMBA is the way to go as i doubt there are many Linux only companies out there.

I tried to look into NIS but couldn't find anyhting at my level. "NIS for Dummies" would be nice. "NIS for the complete idiot" would be better.