Strange behavior NFS 'root_squash' and 'no_root_squash' mount causes access denied
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Strange behavior NFS 'root_squash' and 'no_root_squash' mount causes access denied
Hi
I'm brand new to this forum, so please forgive me if I've posted incorrectly, any guidance is welcome.
I'm experiencing a strange issue with NFS and wonder if I have found a bug or if I'm missing something. I'm using Kubuntu 18.04 on the desktop and my Server is Ubuntu Server 18.04.
I'm trying to securely share some directories from the server to my desktop, I'll show the configuration I'm trying to achieve and the errors I get (the shares will not mount, access is denied) and the strange way in which I can get it working but not quite as secure as I would like.
rich@kubu:~$ sudo mount -a
mount.nfs: access denied by server while mounting 192.168.1.42:/home/rich/unison-sync/Documents
mount.nfs: access denied by server while mounting 192.168.1.42:/home/rich/unison-sync/Downloads
mount.nfs: access denied by server while mounting 192.168.1.42:/home/rich/unison-sync/Music
mount.nfs: access denied by server while mounting 192.168.1.42:/home/rich/unison-sync/Pictures
mount.nfs: access denied by server while mounting 192.168.1.42:/home/rich/unison-sync/Videos
The issue preventing my mounting these shares are the options in the server /etc/exports file of "root_squash" which is what I am after. If I change this to "no_root_squash", the shares will mount, but as I understand it this is not properly secure.
Now here is the strange behavior (see modified /etc/exports file below), after changing only the first line in the /etc/exports file to "no_root_squash" on the server and then issuing the command "sudo exportfs -a" all shares will mount on the desktop and it all works without issue (except the security issue). I've now tested this several times and rebooted both desktop and server, several times and find this to be consistent.
I've conducted a few experiments in trying to narrow things down further. I tried putting "no_root_squash" in another entry instead of the the one in the first line. This resulted in the original problem of access being denied.
I tried a different entry on the top line and various other things I now can't recall. It appears that I must have "no_root_squash" as an option in the first line of the exports file in order to be able to mount the entries. If all things were equal I would expect entries that contained the "no_root_squash" option to be the only shares mountable and the rest be denied. That is not the case. If the first entry has the option "no_root_squash", then all the entries below with "root_squash" as an option also mount.
This does not make sense to me, so I think I've either uncovered a bug, or there is something I do not understand. Ultimately I would like the system to work as expected using the "root_squash" option to ensure better security. The last entry in the exports file referring to "/var/www/rich/" contains my wordpress development environment files and has always worked as expected (interesting that the directory tree is outside /home, is that relevant?). I have tried "all_squash" and use the relevant "anonuid" and "anongid" for the user. The GID and UID numbers on the server and desktop are identical, but no dice there, just access denied, I find it all weird and inconsistent.
Please can anyone help and/or shed some light on what is going on here. Or should I report this as a bug, and if so, guidance on how to do this will be gratefully received.
I wonder if root squash is a red herring. Perhaps somehow your exports were not effective prior to running exportfs -a, and the problem gets resolved by exporting manually.
It's the same on a server reboot and I've tried it several times so I don't think it's a red herring. Thanks for the link, I'll check it out and see if it helps.
Maybe you need to add the NFS clients to hosts.allow. Depends on the Linux distribution but you can check if you have such files in /etc (hosts.allow hosts.deny)
Maybe you need to add the NFS clients to hosts.allow. Depends on the Linux distribution but you can check if you have such files in /etc (hosts.allow hosts.deny)
if you use this only internally (as the ip suggests), i don't see any security issues.
also make sure it is not a firewall issue, on both sides.
Thanks ondoho. I'm not savvy enough to know if there are any security issues. It is all local, nothing here exposed to the internet, so I think I'll live with it as it is.
But is this issue a bug? To my (I admit limited) knowledge I think it is.
I tried a creative approach by adding the directory "null" in my home folder and adding this as the first line in /etc/exports
with a non-existant ip address in the hope that having the first line in my exports file contain "no_root_squash" as an option would allow all the other directories to mount. No dice, it seems that the first line must be mounted "no_root_squash" to allow the rest of the mounts to work. I think there's mileage in this approach, but I don't have time to experiment right now.
One thing I forgot to mention, I did have this working as expected from the same machine running Manjaro a few weeks back, so maybe troubleshooting the client machine is a good idea. Beyond the /etc/fstab I don't know where to look.
I don't have access to another Linux Client right now, but I could load up a virtual machine and see where I get to with that.
Thanks ondoho. I'm not savvy enough to know if there are any security issues. It is all local, nothing here exposed to the internet, so I think I'll live with it as it is.
just to clarify, when i said "no security issues afaics", i was refering to my own solution.
you will notice that there's a confusing nested directory mount structure applied there. this is not my own invention but something i took from the tutorial i followed. i probably used the archwiki for this, even though my server runs debian.
Quote:
But is this issue a bug? To my (I admit limited) knowledge I think it is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.