Re: Permissions on NFS mounts

To: debian-user@lists.debian.org
Subject: Re: Permissions on NFS mounts
From: Mark Fletcher <mark27q1@gmail.com>
Date: Thu, 10 Dec 2020 09:10:42 +0000
Message-id: <[🔎] 20201210091042.n4tmwto3mk6jtkyx@kazuki>
In-reply-to: <[🔎] 20201209205410.GA23215@randomstring.org>
References: <[🔎] 20201209203821.GE19128@dudley.mars.lan> <[🔎] 20201209205410.GA23215@randomstring.org>

On Wed, Dec 09, 2020 at 03:54:10PM -0500, Dan Ritter wrote:
> Paul M Foster wrote: 
> > I have two users on the client: paulf 1000 and nancyf 1001. On the
> > server, I have two users: pi 1000 and paulf 1001. I can mount the NFS
> > share from the server to /mnt on my client. But any files belonging to
> > me (user 1001 on the server) look like they belong to nancy (user 1001
> > on the client. More importantly, if I copy files to this share from the
> > client, they will look like they belong to pi (user 1000) on the server.
> > 
> > Is there some way in the /etc/exports file to adjust the parameters so
> > that files retain my ownership on the server?
> 
> You're looking for userid mapping, handled by idmapd.
> 
> Your best long-term solution is to make the userids consistent
> across machines by making a decision about who will be 1000, 
> 1001 and 1002, and then changing /etc/passwd and running
> suitable "chown -R" commands, probably followed by find
> commands.
> 
> Debian automatically starts user numbering at 1000, so it's a
> good idea to have a consistent install username, if you can
> arrange it.
> 

This brings up an interesting thought. In the situation where you align 
user IDs across a number of machines for ths purpose, you'll inevitably 
end up with situations where users are created on some of the machines 
only for the purpose of keeping the IDs in synch so they can all play 
nice with the NFS. Left alone, having unneeded users on a given machine 
could be a security threat, at least in the sense that it provides a 
greater than necessary attackable surface area. What can be done about 
that? Obviously one thing would be setting the shell to /dev/null in the 
password file of those machines that don't need a given user, to prevent 
interactive logins. What else could be done? Is there a way to put an 
account "beyond use", in any way including su, sudo etc, while still 
having the machine recognise the user for being a user and therefore not 
messing up the mapping of user IDs on shared resources like NFS? In 
other words, create the sense of "yes this user exists, but they are not 
welcome here"?

Mark

Reply to:

Follow-Ups:
- Re: Permissions on NFS mounts
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Permissions on NFS mounts
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Permissions on NFS mounts
  - From: Darac Marjal <mailinglist@darac.org.uk>

References:
- Permissions on NFS mounts
  - From: Paul M Foster <paulf@quillandmouse.com>
- Re: Permissions on NFS mounts
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: SanDisk USB stick problem [solved]
Next by Date: Re: SanDisk USB stick problem
Previous by thread: Re: Permissions on NFS mounts
Next by thread: Re: Permissions on NFS mounts
Index(es):
- Date
- Thread