8

I've exported a share from my server and set anonuid and anongid to be 0 (root). However, when I mount the share on the client, it doesn't appear my settings are working as I'm getting permission denied to folders within the share owned by root.

Server CentOS 5.7 / Client CentOS 6.4 using NFS version 3.2.29.

Here is my /etc/exports on SERVER:

/STORAGE 10.0.5.10(rw,sync,no_subtree_check,no_root_squash,anonuid=0,anongid=0)

Basically, when the client (10.0.5.10) connects to the server, I need it to behave as if it were root on the server. Thank you in advance for the help!!

c4f4t0r
  • 5,149
  • 3
  • 28
  • 41
Jason
  • 371
  • 1
  • 7
  • 19
  • 1
    Check this - http://bugs.centos.org/view.php?id=6345, it should be a bug. – dsmsk80 Sep 16 '13 at 14:36
  • Thank you! I made a small mistake in my original post. The SERVER is CentOS 5.7 and the CLIENT is 6.4. Assuming the same bug still applies? Thanks! – Jason Sep 16 '13 at 18:32

2 Answers2

14

If you want any user on 10.0.5.10 to appear as root you want to do this:

/STORAGE 10.0.5.10(rw,sync,no_subtree_check,all_squash,anonuid=0,anongid=0)

all_squash tells NFS that for any user connecting from 10.0.5.10, ignore their actual UID/GID and instead treat them as if UID=anonuid and GID=anongid. Since you set anonuid=0,anongid=0 that gives all users on 10.0.5.10 root access privileges on /STORAGE, effectively bypassing all security on /STORAGE and leaving it wide open to abuse from anyone appearing to come from the 10.0.5.10 IP address.

FWIW, this is a terrible idea from a security point of view.

If you can use NFSv4 on the server, you can enable UID/GID mapping and add a static map to /etc/idmapd.conf on the server, telling it that a specific user on 10.0.5.10 should be given root access on the NFSv4 server. man idmapd.conf for details on setting up the config file. Once the config file is set up on the NFSv4 server, update your export:

/STORAGE 10.0.5.10(rw,sync,no_subtree_check,no_root_squash)

Then you just want to enable mapping, clear the idmap cache, and restart the map service:

echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping
nfsidmap -c
service rpcidmapd restart

If you do that, you're only giving one user root access, not all users.

Earl Ruby
  • 369
  • 3
  • 5
  • 1
    Although `anonuid=0` is a bad idea, I found this helpful for setting to a different value (default Ubuntu first user added, 1001). – sventechie May 03 '16 at 00:27
6

First of all, you should upgrade to NFS4, as things behave slightly different on each version.

Instead of no_root_squash you will need to use root_squash or all_squash - this is the only relevant parameter regarding this question.

all_squash makes any client connected to that share to use the ID given in the anonuid/anongid parameters.

chicks
  • 3,639
  • 10
  • 26
  • 36
Király István
  • 327
  • 2
  • 10
  • Thank you so much! `all_squash` along with `anonuid=33,anonguid=33` is exactly what I was looking for (executing CLI PHP scripts with my "webdev" user, but still writing the files as www-data), but I couldn't (easily, at all) find an answer to my interrogation. Thanks :) – Lideln Kyoku Feb 23 '22 at 18:54