[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permissions on NFS mounts

On 10/12/2020 09:10, Mark Fletcher wrote:
> On Wed, Dec 09, 2020 at 03:54:10PM -0500, Dan Ritter wrote:
>> Paul M Foster wrote: 
>>> I have two users on the client: paulf 1000 and nancyf 1001. On the
>>> server, I have two users: pi 1000 and paulf 1001. I can mount the NFS
>>> share from the server to /mnt on my client. But any files belonging to
>>> me (user 1001 on the server) look like they belong to nancy (user 1001
>>> on the client. More importantly, if I copy files to this share from the
>>> client, they will look like they belong to pi (user 1000) on the server.
>>> Is there some way in the /etc/exports file to adjust the parameters so
>>> that files retain my ownership on the server?
>> You're looking for userid mapping, handled by idmapd.
>> Your best long-term solution is to make the userids consistent
>> across machines by making a decision about who will be 1000, 
>> 1001 and 1002, and then changing /etc/passwd and running
>> suitable "chown -R" commands, probably followed by find
>> commands.
>> Debian automatically starts user numbering at 1000, so it's a
>> good idea to have a consistent install username, if you can
>> arrange it.
> This brings up an interesting thought. In the situation where you align 
> user IDs across a number of machines for ths purpose, you'll inevitably 
> end up with situations where users are created on some of the machines 
> only for the purpose of keeping the IDs in synch so they can all play 
> nice with the NFS. Left alone, having unneeded users on a given machine 
> could be a security threat, at least in the sense that it provides a 
> greater than necessary attackable surface area. What can be done about 
> that? Obviously one thing would be setting the shell to /dev/null in the 
> password file of those machines that don't need a given user, to prevent 
> interactive logins. What else could be done? Is there a way to put an 
> account "beyond use", in any way including su, sudo etc, while still 
> having the machine recognise the user for being a user and therefore not 
> messing up the mapping of user IDs on shared resources like NFS? In 
> other words, create the sense of "yes this user exists, but they are not 
> welcome here"?

If you're getting to the stage of managing multiple users over multiple
machines, then you probably want to look at a central identity
management solution. That could be as simple as NIS, or OpenLDAP or if
you things a bit more "boxed up", FreeIPA. I have several computers (a
mixture of physical and virtual) at home and just two humans, but
FreeIPA allows us to define our users once (username/password/etc) and
have that user able to log onto any FreeIPA-joined PC. Users can be
added to groups, they can even be granted permissions using the RBAC and
HBAC capabilities of FreeIPA (Role- and Host-base Access Control).

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: