block root access to NFS mount
Les Mikesell
lesmikesell at gmail.com
Tue Sep 12 00:55:52 UTC 2006
On Mon, 2006-09-11 at 18:03, Jeff Vian wrote:
> On Mon, 2006-09-11 at 14:28 -0400, Mark Haney wrote:
> > Okay, here's a problem I'm running in to. I have an NFS server that is
> > controlled via NIS for which hosts access the NFS mounts. I need to
> > give root access to an NFS client host machine, but /not/ the NFS
> > mounts. Is there any way at all to control this, other than making the
> > NFS mounts read only?
> >
> > (Yeah I know it's a strange question, but time is pressing and I don't
> > have enough of it to google.) Any help would be appreciated.
> >
>
> By default NFS maps root to nobody. Only if the no_root_squash option
> is used when exported does root from the client have root privileges on
> the nfs filesystem.
>
> Often this also means that root may not even access the nfs filesystem
> at all.
The thing to understand about NFS, though, is that if someone
is allowed to be root on a client machine they can easily
impersonate any other user. So even though they can't access
files directly as root they can su to the owner of the directory
or files in question.
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list