Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nfsv4 mountpoint permissions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Fri Nov 09, 2018 5:27 pm    Post subject: nfsv4 mountpoint permissions Reply with quote

Greetings,

something must have broke in my server or client, when ever I mount an nfsv4 on my machine, the owner and group of the mountpoint changes from my user to root.root
that results in Permission denied error when I try to copy a file to the mount.
here is the fstab on the client:
Code:
nas_server:/mnt/media           /mnt/media              nfs             rw,async,_netdev  0  0

and on the server:
Code:
/mnt/media      10.0.0.0/24(ro,nohide,insecure,no_subtree_check)
/mnt/media      10.0.0.1(rw,nohide,insecure,no_subtree_check)

where my desktop's ip is 10.0.0.1
any idea what can it be?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13495

PostPosted: Sat Nov 10, 2018 12:52 am    Post subject: Reply with quote

From your description, this sounds like it works as designed. When you shadow a directory by mounting something on it, whether local or remote, the ownership and permissions of the mounted object shadow the permissions of the directory, just as the contents of the mounted object shadow the contents of the directory. If the exported filesystem's root directory is owned root:root, then that is what you will get on the client.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Sat Nov 10, 2018 6:11 am    Post subject: Reply with quote

Hu wrote:
From your description, this sounds like it works as designed. When you shadow a directory by mounting something on it, whether local or remote, the ownership and permissions of the mounted object shadow the permissions of the directory, just as the contents of the mounted object shadow the contents of the directory. If the exported filesystem's root directory is owned root:root, then that is what you will get on the client.

I'm not so sure about that, see:
Code:
NCC-5001-D /home/dagg # mount | grep media
nas_server:/mnt/media on /mnt/media type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.0.1,local_lock=none,addr=10.0.0.3,_netdev)
NCC-5001-D /home/dagg # whoami
root
NCC-5001-D /home/dagg # ll /mnt | grep media
drwxr-xr-x  8 root root        4096 Oct 20  2017 media
NCC-5001-D /home/dagg # ll /mnt/media/
total 61
drwxr-xr-x 79 dagg dagg 12288 Oct  3  2015 music
drwxr-xr-x  2 dagg dagg 16384 Oct  4  2015 lost+found
drwx------  4 dagg dagg  4096 Mar  5  2016 .Trash-1000
drwxr-xr-x  2 dagg dagg  4096 Sep 24  2016 concerts
drwxr-xr-x  8 root root  4096 Oct 20  2017 .
drwxr-xr-x 17 dagg dagg  4096 Jul 13 19:07 series
drwxr-xr-x 22 root root   600 Aug  7 20:26 ..
drwxr-xr-x  2 dagg dagg 16384 Oct 25 19:57 movies
NCC-5001-D /home/dagg # touch /mnt/media/file
touch: cannot touch '/mnt/media/file': Permission denied
NCC-5001-D /home/dagg #


I even cannot add a file as root.
as said, it worked before...
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Nov 10, 2018 8:21 am    Post subject: Reply with quote

you're probably missing no_root_squash, without it root gets demoted to "nobody".
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Sat Nov 10, 2018 10:09 am    Post subject: Reply with quote

bunder wrote:
you're probably missing no_root_squash, without it root gets demoted to "nobody".

won't that give anyone writing permissions on the 10.0.0.1? what if I want to limit it to a specific user on 10.0.0.1?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Nov 10, 2018 10:29 am    Post subject: Reply with quote

no, only root. you can leave it off if you want, but you'll at least want to

Code:
chown dagg:dagg /mnt/media


on the server.
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Sat Nov 10, 2018 12:32 pm    Post subject: Reply with quote

bunder wrote:
no, only root. you can leave it off if you want, but you'll at least want to

Code:
chown dagg:dagg /mnt/media


on the server.

so chown dagg server:/mnt/media (where the ids match on both machines) will do the trick without the no_root_squash option?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Nov 10, 2018 12:45 pm    Post subject: Reply with quote

yeah if you don't care about root access, the chown to your user should be enough (as your /mnt/media appears to be owned by root)

Code:
 drwxr-xr-x  8 root root  4096 Oct 20  2017 .

_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Sat Nov 10, 2018 12:50 pm    Post subject: Reply with quote

bunder wrote:
yeah if you don't care about root access, the chown to your user should be enough (as your /mnt/media appears to be owned by root)

Code:
 drwxr-xr-x  8 root root  4096 Oct 20  2017 .

all I want is for user dagg on 10.0.0.1 to have rw permissions on server:/mnt/media
the rest should have read support (no including root on server). I'll give it a try, thanks.
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13495

PostPosted: Sat Nov 10, 2018 4:43 pm    Post subject: Reply with quote

The advice here looks good. To elaborate on no_root_squash: when root squashing is enabled, and the client sends a uid=root, the server rewrites that as uid=nobody[1], then applies permission checks with the rewritten uid. Since user nobody cannot access the mount with the permissions shown, a failure occurs. When the client sends a uid!=root, root squashing is irrelevant and the client's uid is used as-is. This has the effect that root is often less privileged than regular users, which surprises people the first time they encounter root squashing. Its security value is not perfect, since an unrestricted root on the client can change its uid to anything else, and then it will not be squashed. This means that root squashing protects you in two cases:
  • Permissions on the server restrict access to uid=root, so any uid other than root is guaranteed to be denied. Therefore, no matter what id the tricky client switches to, it will not have access.
  • You care only about client programs that are not intentionally trying to subvert the system. Such programs, by definition, will not engage in trickery like changing their uid.
As a related issue, beware all_squash. That coerces all user ids sent by the client, rather than only uid=root.

[1] Technically, it is remapped to the anonymous id. By tradition, the anonymous id defaults to nobody. You can remap to some other id if you want. See man exports.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5270

PostPosted: Sat Nov 10, 2018 5:03 pm    Post subject: Reply with quote

I've done what bunder suggested, on 10.0.0.1 root gets permission error, dagg doesn't.
on all other systems. there is no write permissions.
all good, no?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Nov 10, 2018 9:51 pm    Post subject: Reply with quote

Quote:
all I want is for user dagg on 10.0.0.1 to have rw permissions on server:/mnt/media
the rest should have read support


Quote:
I've done what bunder suggested, on 10.0.0.1 root gets permission error, dagg doesn't.
on all other systems. there is no write permissions.
all good, no?


sounds good to me :wink:
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum