[Lvlug] NFS: Can read but not write files

Randy Kramer rhkramer at gmail.com
Tue Jul 5 10:24:59 EDT 2005 

On Monday 04 July 2005 11:41 pm, Martin DiViaio wrote:
> >> Under what user are you running the mount command on the client? Is it
> >> the same user that owns the files on the server?
> >
> > Just to be nitpicky (or something): should that really matter?  I've been
> > doing it as root, and am now successful reading and writing under my
> > userid (while using no_root_squash)--will I be unsuccessful if if I
> > switch to root_squash and still do the mount as root?  (I presume that
> > during a boot, mounts are done by root.)
>
> With the all_squash setting, the NFS mount process was being handled by
> UID 65534 on the server (when you turn on root_squash, this will happen
> again but only for requests made by UID 0.) UID 65534 is usually
> identified as user "nobody". The server process has whatever access rights
> are available to that user for the files it is trying to serve (probably
> just global read). (I missed this in your first post.)

If that's a question, the Mandrake (10 and 10.1) automagic setup specified ro 
and all_squash for the mounts.  I wanted rw, so I switched ro to rw, but had 
no idea I also needed to change all_squash.  (If yours was a question, not 
sure this answered it anyway.)

> Normally, a NFS mount request comes to the server with the UID of the user
> making the request. The serving process is started as the same UID on the
> server. This is why it's so important to make sure that UIDs and GIDs
> match on the client and server. Since the serving process is now running
> with limited permissions it only has whatever access to the exported tree
> that the user would have from a shell (does that make sense?)
>
> The nfs server program goes through great pains to not run processes as
> root (for obvious reasons). This is also why you need to set up
> masquerading. In masquerading, you tell the NFS server to ALWAYS use a
> certain UID to start the server process for an export or to use a certain
> UID when another UID makes a mount request.
>
> Lastly, the /etc/exports file supports an old format of ACLs. You will
> want to look into them.
>
> Again, I am going to refer you to the exports(5) man page. You could also
> pick up a copy of NFS/NIS from O'Reilly but it's very heavy on NIS.

I tried reading / skimming man 5 exports a few times now, in a few cases 
searching for mount  or access.  IIUC, mounting and accessing files via NFS 
differs from the "normal" Linux mounting and accessing of local files in 
that:

local filesystems are (can be) mounted by root and the access to files (and 
directories) is controlled by the ownershiip/permissions for the file.  (but, 
of course, root can access any of those files regardless of permissions)

NFS remote filesystems (if root squash is in effect) cannot be mounted by 
root--oops, OK that's the wrong way to phrase it--they *could* be mounted by 
root, but root_squash makes a remote root not be recognized on the server 
(instead recognized as "nobody"), thus also preventing (a remote) root (aka 
nobody) from accessing those files (which is a good thing for security).  
But, as a consequence, mounting of the filesystem must be by the owner (or 
anonpid or whatever).

Thanks, I think I've got it, even if I may not have expressed it 100% 
accurately.

regards,
Randy Kramer

More information about the Lvlug mailing list