block root access to NFS mount

Nigel Wade nmw at ion.le.ac.uk
Tue Sep 12 12:48:19 UTC 2006 

Mark Haney wrote:
> Jeff Vian wrote:
> 
>> On Mon, 2006-09-11 at 14:28 -0400, Mark Haney wrote:
>>  
>>
>>> Okay, here's a problem I'm running in to.  I have an NFS server that 
>>> is controlled via NIS for which hosts access the NFS mounts.  I need 
>>> to give root access to an NFS client host machine, but /not/ the NFS 
>>> mounts.  Is there any way at all to control this, other than making 
>>> the NFS mounts read only?
>>>
>>> (Yeah I know it's a strange question, but time is pressing and I 
>>> don't have enough of it to google.)  Any help would be appreciated.
>>>
>>>     
>>
>>
>> By default NFS maps root to nobody.  Only if the no_root_squash option
>> is used when exported does root from the client have root privileges on
>> the nfs filesystem.
>>
>> Often this also means that root may not even access the nfs filesystem
>> at all.
>>
>> HTH
>> "man exports" will give more info, specifically in in the User ID
>> Mapping section.
>>
>   Let me see if I understand you, if I don't have 'no_root_squash' in 
> my /etc/exports file for a particular NFS share, then if I am root on 
> the /client/ I cannot access that NFS mount?  If so, that's exactly 
> what I"m looking for.
> 

Yes, but as Jeff pointed out, it doesn't buy you anything.

As root on the client they can access any file on the exported filesystem which 
a "mortal" user can access. The simple rule is, don't export to a client unless 
you have administrative control.

In a more complex environment you might create different filesystems with home 
directories for each group of users. Then export each filesystem of users home 
directories to clients as required. You would only export home directories to a 
client for the users who are supposed to be administered by the root user of the 
client in question.

If you export a filesystem to another administrative domain the only part of the 
filesystem which you can effectively control are files owned by root.

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the fedora-list mailing list