Why can't root on one machine change nfs mounted content from another machine?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












13














On my NFS server, I have the following export defined:



#NFS exports Database
/shared -alldirs -network=192.168.1 -mask=255.255.255.0


On my NFS client:



192.168.1.7:/shared /shared nfs rw 0 0


Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.



As my regular user:



gabe@client$ cd /shared
gabe@client$ ls -l
total 8
drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
gabe@client$ cd tmp
gabe@client$ touch test.txt
gabe@client$ rm test.txt


As root:



# cd /shared/tmp
# touch test.txt
touch: test.txt: Permission denied


Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.










share|improve this question




























    13














    On my NFS server, I have the following export defined:



    #NFS exports Database
    /shared -alldirs -network=192.168.1 -mask=255.255.255.0


    On my NFS client:



    192.168.1.7:/shared /shared nfs rw 0 0


    Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.



    As my regular user:



    gabe@client$ cd /shared
    gabe@client$ ls -l
    total 8
    drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
    gabe@client$ cd tmp
    gabe@client$ touch test.txt
    gabe@client$ rm test.txt


    As root:



    # cd /shared/tmp
    # touch test.txt
    touch: test.txt: Permission denied


    Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.










    share|improve this question


























      13












      13








      13


      1





      On my NFS server, I have the following export defined:



      #NFS exports Database
      /shared -alldirs -network=192.168.1 -mask=255.255.255.0


      On my NFS client:



      192.168.1.7:/shared /shared nfs rw 0 0


      Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.



      As my regular user:



      gabe@client$ cd /shared
      gabe@client$ ls -l
      total 8
      drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
      gabe@client$ cd tmp
      gabe@client$ touch test.txt
      gabe@client$ rm test.txt


      As root:



      # cd /shared/tmp
      # touch test.txt
      touch: test.txt: Permission denied


      Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.










      share|improve this question















      On my NFS server, I have the following export defined:



      #NFS exports Database
      /shared -alldirs -network=192.168.1 -mask=255.255.255.0


      On my NFS client:



      192.168.1.7:/shared /shared nfs rw 0 0


      Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.



      As my regular user:



      gabe@client$ cd /shared
      gabe@client$ ls -l
      total 8
      drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
      gabe@client$ cd tmp
      gabe@client$ touch test.txt
      gabe@client$ rm test.txt


      As root:



      # cd /shared/tmp
      # touch test.txt
      touch: test.txt: Permission denied


      Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.







      permissions nfs






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Aug 25 '18 at 21:30









      Rui F Ribeiro

      39k1479130




      39k1479130










      asked Mar 21 '11 at 22:11









      gabe.

      6,43593554




      6,43593554




















          2 Answers
          2






          active

          oldest

          votes


















          18














          NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.



          Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.






          share|improve this answer






















          • Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
            – gabe.
            Mar 22 '11 at 0:47










          • Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
            – John
            Jul 29 '11 at 20:31










          • @John, that's different enough that you should ask a new question instead of adding a comment.
            – cjm
            Jul 30 '11 at 10:11


















          5














          That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.



          (“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)






          share|improve this answer




















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9840%2fwhy-cant-root-on-one-machine-change-nfs-mounted-content-from-another-machine%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            18














            NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.



            Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.






            share|improve this answer






















            • Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
              – gabe.
              Mar 22 '11 at 0:47










            • Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
              – John
              Jul 29 '11 at 20:31










            • @John, that's different enough that you should ask a new question instead of adding a comment.
              – cjm
              Jul 30 '11 at 10:11















            18














            NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.



            Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.






            share|improve this answer






















            • Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
              – gabe.
              Mar 22 '11 at 0:47










            • Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
              – John
              Jul 29 '11 at 20:31










            • @John, that's different enough that you should ask a new question instead of adding a comment.
              – cjm
              Jul 30 '11 at 10:11













            18












            18








            18






            NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.



            Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.






            share|improve this answer














            NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.



            Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 21 '11 at 22:36

























            answered Mar 21 '11 at 22:28









            cjm

            20.3k57073




            20.3k57073











            • Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
              – gabe.
              Mar 22 '11 at 0:47










            • Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
              – John
              Jul 29 '11 at 20:31










            • @John, that's different enough that you should ask a new question instead of adding a comment.
              – cjm
              Jul 30 '11 at 10:11
















            • Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
              – gabe.
              Mar 22 '11 at 0:47










            • Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
              – John
              Jul 29 '11 at 20:31










            • @John, that's different enough that you should ask a new question instead of adding a comment.
              – cjm
              Jul 30 '11 at 10:11















            Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
            – gabe.
            Mar 22 '11 at 0:47




            Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
            – gabe.
            Mar 22 '11 at 0:47












            Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
            – John
            Jul 29 '11 at 20:31




            Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the -maproot option without having access to the NFS Server.
            – John
            Jul 29 '11 at 20:31












            @John, that's different enough that you should ask a new question instead of adding a comment.
            – cjm
            Jul 30 '11 at 10:11




            @John, that's different enough that you should ask a new question instead of adding a comment.
            – cjm
            Jul 30 '11 at 10:11













            5














            That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.



            (“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)






            share|improve this answer

























              5














              That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.



              (“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)






              share|improve this answer























                5












                5








                5






                That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.



                (“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)






                share|improve this answer












                That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.



                (“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 21 '11 at 22:31









                Gilles

                528k12810581583




                528k12810581583



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9840%2fwhy-cant-root-on-one-machine-change-nfs-mounted-content-from-another-machine%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?