Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] NFS - Permissions denied on client side, need +x
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 362
Location: the Netherlands

PostPosted: Sun Oct 06, 2019 5:20 am    Post subject: [Solved] NFS - Permissions denied on client side, need +x Reply with quote

Hi,

I am trying to share files from my central home server with a couple of clients on the same local network using NFS.

However, on the client side, the files show ' permission denied' and are red blinking:
Code:
 /mnt # ls Server/ -all
ls: cannot access 'Server/.': Permission denied
ls: cannot access 'Server/..': Permission denied
ls: cannot access 'Server/file1.txt': Permission denied
ls: cannot access 'Server/file2.txt': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
?????????? ? ? ? ?            ? file1.txt
?????????? ? ? ? ?            ? file2.txt



This seems to be the same issues as described (but not solved) here:
https://forums.gentoo.org/viewtopic-t-1077002-highlight-nfs+permissions.html
https://forums.gentoo.org/viewtopic-t-1065634-highlight-nfs+permissions.html



On the server side:

Code:
 /homessd/alex/nfstest/data # ls -all
total 16
drw-r--r-- 2 alex      alex      4096 Oct  6 06:23 .
drwxr-xr-x 3 alex      alex      4096 Oct  6 06:23 ..
-rw-r--r-- 1 alexander alexander    7 Oct  6 06:23 file1.txt
-rw-r--r-- 1 alexander alexander    7 Oct  6 06:23 file2.txt



And server-side /etc/exports:

Code:
cat /etc/exports
# /etc/exports: NFS file systems being exported.  See exports(5).
/homessd/alex/nfstest/data  192.168.0.0/255.255.0.0(rw,all_squash,crossmnt)




I can somehow solve it by changing the permissions to 777 (including +x):

Server side:
Code:
# chmod 777 /homessd/alex/nfstest/data/ -R
HomeServer /homessd/alex/nfstest/data # ls -all
total 16
drwxrwxrwx 2 alex      alex      4096 Oct  6 06:23 .
drwxr-xr-x 3 alex      alex      4096 Oct  6 06:23 ..
-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file1.txt
-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file2.txt


The client then shows:

Code:
# ls Server/ -all
total 16
drwxrwxrwx 2 root root 4096 Oct  6 06:23 .
drwxr-xr-x 6 root      root      4096 Oct  6 06:20 ..
-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file1.txt
-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file2.txt




So, although this workaround works, it seems a bit strange that I would need to add +x in order to share read/write directories and files...
I guess I probably somehow messed up permissions on one side or the other, but I would not know how to change this behavior ( and if this is normal behavior or not, although I expect it is not).

Thanks for any hints, pointers, on how to get this NFS-sharing right,

Alex.


Last edited by lexflex on Tue Oct 08, 2019 8:38 am; edited 1 time in total
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7367

PostPosted: Sun Oct 06, 2019 9:15 am    Post subject: Reply with quote

1/ your exports is bad for a nfsv4 server, i know nfsv4 server are lazy and accept weird entries (for nfsv3 server compatibility), still the result is bad, do the thing properly if you want proper behavior.
nfsv4 server could be use with nfsv3 client, still it doesn't mean nfsv4 server should be configure like an nfsv3 server
see for example : https://wiki.gentoo.org/wiki/Nfs-utils#Virtual_root
2/ Did you mess up your group and user id between your server and client?
Code:
Server side:
...
-rwxrwxrwx 1 alexander alexander    7 Oct  6 06:23 file1.txt
The client then shows:
-rwxrwxrwx 1 alex      alex         7 Oct  6 06:23 file1.txt

i would expect client to also show "alexander:alexander" too, it's not a problem if you only have alexander on one side and alex on the other side, but your server show the directories are own by "alex", so server at least have two users "alex" and "alexander", i suppose your client have that too.

3/ "all_squash" option, make the server handling any query as "nfsnobody:nfsnobody"
so even if your client would made a query as alexander:alexander, the server will not compare the action to alexander:alexander permissions, but against nfsnobody:nfsnobody permissions
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun Oct 06, 2019 9:29 am    Post subject: Reply with quote

lexflex,

nfs uses the user and group IDs everywhere.
What does
Code:
ls -n
show on both systems for those files.

The owner and group names are not useful as they are obtained by consulting the local /etc/password and /etc/groups.
There is a world of pain getting those aligned across all the systems that will use the nfs share.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 362
Location: the Netherlands

PostPosted: Sun Oct 06, 2019 12:57 pm    Post subject: Reply with quote

Hi Krinn and Neddy, thanks for your replies!


krinn wrote:

2/ Did you mess up your group and user id between your server and client?


Probably I messed up , since I actually didnt take care of aligning those user ID's at all.
They are just two systems on my local network, one acting as server with storage, the others acting as clients.
Since it is local, I trust the clients and also would like the clients to write/add to those directories.


Quote:
see for example : https://wiki.gentoo.org/wiki/Nfs-utils#Virtual_root

Yes, I read that, but I thought the virtual root thing was not relevant for my usecase in which I just share a specific directory.


From both your replies, I understand that the official way to do it right includes aligning all ID's ( which is a pain, as Neddy suggest,specifically since both systems already have users).
Is there some simpler way of doing this on local trusted machines that does not involve that?

The use case (which i hoped was simple) that I wanted to achieve is:
a) share media files on a local server
b) watch them from clients on the local network

If I don't want to go down the route of aligning all ID's, what would be the simplest way to share files between (local network) linux machines. Is nfs the good choice for that?


NeddySeagoon wrote:
What does
Code:
ls -n
show on both systems for those files.

Server side:

Code:
$ ls -all -n
total 16
drwxrwxrwx 2 1002 1002 4096 Oct  6 06:23 .
drwxrwxrwx 3 1002 1002 4096 Oct  6 06:23 ..
-rwxrwxrwx 1 1000 1000    7 Oct  6 06:23 file1.txt
-rwxrwxrwx 1 1000 1000    7 Oct  6 06:23 file2.txt



Client side:


Code:

 $ ls  -n
total 8
-rwxrwxrwx 1 1000 1000 7 Oct  6 06:23 file1.txt
-rwxrwxrwx 1 1000 1000 7 Oct  6 06:23 file2.txt





Thanks!

Alexander.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun Oct 06, 2019 1:15 pm    Post subject: Reply with quote

lexflex,

Before I answer, I infer that you only need read access from the clients?
Is that true?
Think about how you will add new titles to the server.

On my mediaserver, I use nfs version 3 as I could not get netbooting to work with nfs ver4.

The /etc/exports contains
Code:
/mnt/mediatomb 192.168.100.0/24(no_subtree_check,root_squash,all_squash,ro,async)
/mnt/mediatomb 192.168.100.20(no_subtree_check,all_squash,rw,async,anonuid=1000)

All users on 192.168.100.0/24 see the files as user nobody and may read them.
My system on 192.168.100.20 is allowed rw access and whatever user I appear as is forced to anonuid=1000.
That's my userID on the server.

On my system /etc/fstab contains
Code:
# DVDs Read Only
192.168.100.55:/mnt/mediatomb           /mnt/media      nfs            sync,hard,intr,ro,nolock,vers=3  0 0

Its read only there. If I want to add media, I have to remount it read/write.
That's fairly rare though.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7468
Location: Saint Amant, Acadiana

PostPosted: Sun Oct 06, 2019 1:16 pm    Post subject: Reply with quote

Changing UID is a matter of editing it and then running chown on users home. If it seems too much create a group in both machines and allow full access to this group.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 241

PostPosted: Sun Oct 06, 2019 2:32 pm    Post subject: Reply with quote

Quote:
The owner and group names are not useful as they are obtained by consulting the local /etc/password and /etc/groups.
There is a world of pain getting those aligned across all the systems that will use the nfs share.
_


Learnt through some pain: NFS is fast and easy, but it is old and his handling of permissions - access control sucks. The only thing that sucks even more is debgging NFS problems.
Therefore the only way to handle NFS shares across several computers is ensuring all UID/GID match exactly. Ideally also all usernames. And only inside trusted local networks.

If you want more, don't use NFS.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7468
Location: Saint Amant, Acadiana

PostPosted: Sun Oct 06, 2019 3:18 pm    Post subject: Reply with quote

NFSv4 was designed with usage over internet in the mind. You can use NIS to avoid UID:GID problem. There is also idmapping for NFS. So I'd amend the previous poster. Don't use NFS if you don't know how.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14922

PostPosted: Sun Oct 06, 2019 4:27 pm    Post subject: Reply with quote

You need search on a directory (+x) to stat files in it. On the server, you ran as root, so root's CAP_DAC_READ_SEARCH let you ignore the permissions and search the directory even when the permissions said you could not. On the client, squashing changed your effective uid, as other posters have already explained above. As a general debugging tip, if you want to use squashing, then your shell on the server should be run under the same uid as the squashed clients. If you had run the server's shell as alex, you would have seen more consistent results.
Back to top
View user's profile Send private message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 362
Location: the Netherlands

PostPosted: Tue Oct 08, 2019 8:37 am    Post subject: Reply with quote

Thanks a lot to you all,

Your replies above give me enough insight to understand how to get this to work.
As suggested, I now created a user on both systems that have the same user and group ID 5000 using the -u option:
Code:
 useradd <....> -u 5000


Hu wrote:
You need search on a directory (+x) to stat files in it.

[/url]Ok, I did not know or understand this before, but indeed this is needed as well.

I now changed all files to rw (unless they already had +x, but this was not the case here), and all (sub)directories to rwx, using:
Code:
chmod -R a+rwX /directory

( it took me https://unix.stackexchange.com/questions/416877/what-is-a-capital-x-in-posix-chmod this to decode the capital X in chmod).


Now all seems ok in terms of permissions, and the clients can access the nfs shares as expected!

Thanks a lot,

Alex.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14922

PostPosted: Wed Oct 09, 2019 2:05 am    Post subject: Reply with quote

Personally, I wouldn't consider world-writable to be "ok in terms of permissions" here, but if you're happy with the functionality and security consequences, we can call this thread solved.
Back to top
View user's profile Send private message
lexflex
Guru
Guru


Joined: 05 Mar 2006
Posts: 362
Location: the Netherlands

PostPosted: Wed Oct 09, 2019 3:43 am    Post subject: Reply with quote

Hu wrote:
Personally, I wouldn't consider world-writable to be "ok in terms of permissions" here, but if you're happy with the functionality and security consequences, we can call this thread solved.


Yes, you are right that I should actually make it something like 'rwxr-xr-x' for the directories, or maybe also for the group.
So , I now removed all write access to the other directories.

Then, added +x just for the user for directories by using:

Code:
chmod -R u+wrX   


Alex.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum