Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Mounting NFS directory owned by root

News NFS Recommended Links NFS Security Mounting NFS Resources  Humor Etc

NFS is a widely-used file sharing protocol. It allows servers running nfsd and mountd to "export" entire file systems to other machines using NFS filesystem support built in to their kernels (or some other client support if they are not Linux machines). mountd keeps track of mounted file systems in /etc/mtab, and can display them with showmount.

Many sites use NFS to serve home directories to users, so that no matter what machine in the cluster they login to, they will have all their home files.  There is some small amount of security allowed in exporting file systems. You can make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (or at least the same uid) files, the remote root user can login or su to their account and have total access to their files. This is only a small hindrance to an attacker that has access to mount your remote file systems.

Export the root dir to the workstation. The basic idea is to edit /etc/exports  to include a line similar to one of the following:

For example, a DHCP client receiving an IP address on a class C subnet would need an exports entry similar to this:

The no_root_squash  parameter allows the superuser (root) to be treated as such by the NFS server; otherwise root will be remapped to nobody and will generally be unable to do anything useful with the filesystem. The no_all_squash  parameter is similar but applies to non-root users. See the exports(5)  man page for details.

You will have to notify the NFS server after making any changes to the exports file. Under Red Hat this can easily be done by typing /etc/rc.d/init.d/nfs stop; /etc/rc.d/init.d/nfs start. On other systems, a simple /etc/rc.d/init.d/nfs restart  or even exportfs -a  may suffice, while on older machines running the user-mode NFS daemon you may actually need to killall -HUP rpc.mountd; killall -HUP rpc.nfsd. (Do not killall -HUP rpc.portmap, however!)

You may also need to edit /etc/hosts.allow  and/or /etc/hosts.deny  if tcp_wrappers are installed. In particular, if the remote system (client) gets RPC: connection refused errors, /etc/hosts.deny  probably contains portmap: ALL  or ALL: ALL. To enable the client to use the server's portmapper, add a corresponding line to /etc/hosts.allow:

portmap: <client-IP-number>
portmap: <2nd-client-IP-number>
portmap: <client-IP-network>/<client-IP-netmask>

There is no need to restart anything in this case. You can check by running rpcinfo -p  on the NFS server and rpcinfo -p NFS-server  on a Linux client within the allowed range; the RPC services listed by both should match.

Exporting NFS File Systems

The General Options tab allows the following options to be configured:

The User Access tab allows the following options to be configured:


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)


Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended