Why can't root on one machine change nfs mounted content from another machine?
Clash Royale CLAN TAG#URR8PPP
On my NFS server, I have the following export defined:
#NFS exports Database
/shared -alldirs -network=192.168.1 -mask=255.255.255.0
On my NFS client:
192.168.1.7:/shared /shared nfs rw 0 0
Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.
As my regular user:
gabe@client$ cd /shared
gabe@client$ ls -l
total 8
drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
gabe@client$ cd tmp
gabe@client$ touch test.txt
gabe@client$ rm test.txt
As root:
# cd /shared/tmp
# touch test.txt
touch: test.txt: Permission denied
Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.
permissions nfs
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
add a comment |
On my NFS server, I have the following export defined:
#NFS exports Database
/shared -alldirs -network=192.168.1 -mask=255.255.255.0
On my NFS client:
192.168.1.7:/shared /shared nfs rw 0 0
Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.
As my regular user:
gabe@client$ cd /shared
gabe@client$ ls -l
total 8
drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
gabe@client$ cd tmp
gabe@client$ touch test.txt
gabe@client$ rm test.txt
As root:
# cd /shared/tmp
# touch test.txt
touch: test.txt: Permission denied
Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.
permissions nfs
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
add a comment |
On my NFS server, I have the following export defined:
#NFS exports Database
/shared -alldirs -network=192.168.1 -mask=255.255.255.0
On my NFS client:
192.168.1.7:/shared /shared nfs rw 0 0
Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.
As my regular user:
gabe@client$ cd /shared
gabe@client$ ls -l
total 8
drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
gabe@client$ cd tmp
gabe@client$ touch test.txt
gabe@client$ rm test.txt
As root:
# cd /shared/tmp
# touch test.txt
touch: test.txt: Permission denied
Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.
permissions nfs
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
On my NFS server, I have the following export defined:
#NFS exports Database
/shared -alldirs -network=192.168.1 -mask=255.255.255.0
On my NFS client:
192.168.1.7:/shared /shared nfs rw 0 0
Obviously, as root on the server, I can do whatever I want. On the client however, my regular user 'gabe' can make changes to the nfs mount (assuming I have permissions to), but root cannot.
As my regular user:
gabe@client$ cd /shared
gabe@client$ ls -l
total 8
drwxrwxrwx 4 gabe wheel 512 Mar 20 19:20 tmp
gabe@client$ cd tmp
gabe@client$ touch test.txt
gabe@client$ rm test.txt
As root:
# cd /shared/tmp
# touch test.txt
touch: test.txt: Permission denied
Again, this is all on the NFS client side of things, and I suspect perhaps it has something to do with the -maproot option. This is the first time I'm setting up NFS and I just noticed this peculiarity. I'm going to do some reading now, to see if I can figure this out, but if anyone has any insight, I would appreciate it.
permissions nfs
permissions nfs
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
edited Aug 25 '18 at 21:30
Rui F Ribeiro
39k1479130
39k1479130
asked Mar 21 '11 at 22:11
gabe.
6,43593554
asked Mar 21 '11 at 22:11
gabe.
6,43593554
asked Mar 21 '11 at 22:11
gabe.
6,43593554
6,43593554
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.
Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.
answered Mar 21 '11 at 22:28
cjm
20.3k57073
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the-maprootoption without having access to the NFS Server.
– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
add a comment |
That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.
(“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9840%2fwhy-cant-root-on-one-machine-change-nfs-mounted-content-from-another-machine%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.
Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.
answered Mar 21 '11 at 22:28
cjm
20.3k57073
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the-maprootoption without having access to the NFS Server.
– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
add a comment |
NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.
Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.
answered Mar 21 '11 at 22:28
cjm
20.3k57073
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the-maprootoption without having access to the NFS Server.
– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
add a comment |
NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.
Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.
answered Mar 21 '11 at 22:28
cjm
20.3k57073
NFS was designed with the idea that user and group ids would be the same on all machines across the network. For ordinary users, that works ok. But root's UID is always 0, and just because you have root on one box, it doesn't mean that you should have root access to every machine on the network.
Therefore, NFS treats root specially. By default, root is mapped to the nobody user, which normally has no write access. The -maproot option allows you to change how root is handled. BSD's -maproot=root corresponds to Linux's no_root_squash option.
answered Mar 21 '11 at 22:28
cjm
20.3k57073
edited Mar 21 '11 at 22:36
answered Mar 21 '11 at 22:28
cjm
20.3k57073
answered Mar 21 '11 at 22:28
cjm
20.3k57073
answered Mar 21 '11 at 22:28
cjm
20.3k57073
20.3k57073
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the-maprootoption without having access to the NFS Server.
– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
add a comment |
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the-maprootoption without having access to the NFS Server.
– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Yes, indeed. This fixed my problem. The man page I was reading was a little cryptic (or my understanding was) with regards to what exactly maproot did. Thanks!
– gabe.
Mar 22 '11 at 0:47
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the
-maproot option without having access to the NFS Server.– John
Jul 29 '11 at 20:31
Another noob here. I was wondering if you guys might know a way to tell if a NFS drive has been configured to use the
-maproot option without having access to the NFS Server.– John
Jul 29 '11 at 20:31
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
@John, that's different enough that you should ask a new question instead of adding a comment.
– cjm
Jul 30 '11 at 10:11
add a comment |
That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.
(“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
add a comment |
That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.
(“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
add a comment |
That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.
(“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
That's common behavior with traditional NFS implementations. NFS user mappings are performed irrespective of context, so all accesses by the client root have to be mapped to a particular user (usually nobody by default). Hence this weird behavior, where the client root can't access your files directly, but can su gabe to access them.
(“Recent” versions of NFS, i.e. NFSv4 and perhaps NFSv3, allow saner behavior if supported on both sides, but I don't know the details.)
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
answered Mar 21 '11 at 22:31
Gilles
528k12810581583
528k12810581583
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f9840%2fwhy-cant-root-on-one-machine-change-nfs-mounted-content-from-another-machine%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
