Q: NFS and permissions

Q: NFS and permissions

Post by Uwe Dirkse » Thu, 02 Mar 2000 04:00:00



Hello,

I have a question about permissions on a NFS-mounted filesystem.

In our network we need detailed control to file access. The normal
unix file permissions don't give us enough controlability, so I use
ACLs. Now we want to mount such a filesystem on a Linux box using
NFS. I have done some tests but it doesn't work. It seems to me that
the ACLs are not checked over NFS.

Have anybody an idea what the problem may be? Does the NFS-client or
the the NFS-Server check the file permissions? If the server
checks the permissions then the linux client doesn't need to know
anything about the ACLs and it should work.

Regards,

Uwe.

--
----------------------------------------------------------------
Dipl.-Inform. Uwe Dirksen
Lehrstuhl fuer Umformtechnik (LFU), Universit?t Dortmund
Chair of Forming Technology, University of Dortmund, Germany
Baroper Str. 301,                   44221 Dortmund
Tel: ++49 231 755-2605        Fax: ++49 231 755-2489

http://www.lfu.mb.uni-dortmund.de

 
 
 

Q: NFS and permissions

Post by Casper H.S. Dik - Network Security Engine » Thu, 02 Mar 2000 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


>In our network we need detailed control to file access. The normal
>unix file permissions don't give us enough controlability, so I use
>ACLs. Now we want to mount such a filesystem on a Linux box using
>NFS. I have done some tests but it doesn't work. It seems to me that
>the ACLs are not checked over NFS.

Does this happen when you give more permission with ACL, less, or
both?

If the client performs the checks locally (wrong!) then you will only
get the standard permissions.

With NFSv3, client should call the NFS3_ACCESS function;
with NFSV2, there's really no way to do this without trying operations
over the wire (which isn't possible with, e.g., access(2))

Quote:>Have anybody an idea what the problem may be? Does the NFS-client or
>the the NFS-Server check the file permissions? If the server
>checks the permissions then the linux client doesn't need to know
>anything about the ACLs and it should work.

In principle it's the server that should be doing the checking;
the Linux NFS clietns may be doing checks of its own.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Q: NFS and permissions

Post by Uwe Dirkse » Thu, 02 Mar 2000 04:00:00


Hello,

Casper> [[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

Quote:>> In our network we need detailed control to file access. The normal
>> unix file permissions don't give us enough controlability, so I use
>> ACLs. Now we want to mount such a filesystem on a Linux box using
>> NFS. I have done some tests but it doesn't work. It seems to me that
>> the ACLs are not checked over NFS.

Casper> Does this happen when you give more permission with ACL, less, or
Casper> both?

Thank you for your informations, Casper.
I want to give more permission with ACL to the file. Below I show the
information about a test.

On Solaris:
share -F nfs -o rw=<my-host> /var/log/acl-test

lucida:/var/log/acl-test:root[28] ls -al
total 6
drwxrwxr-x+  2 root     other        512 Feb 28 11:10 ./
drwxr-xr-x   7 root     sys         1024 Feb 28 11:43 ../
-rw-rw----+  1 root     root          12 Feb 28 11:22 test

lucida:/var/log/acl-test:root[29] getfacl test

# file: test
# owner: root
# group: root
user::rw-
user:dirksen:r--                #effective:r--
group::---              #effective:---
mask:rw-
other:---

As user root:

lucida:/var/log/acl-test:root[35] cat test
meier
meier

As user dirksen:

lucida:/var/log/acl-test:dirksen[10] cat test
meier
meier

On Linux:

mount -t nfs -o vers=2 lucida:/var/log/acl-test /mnt/nfs

feynman:/mnt/nfs:dirksen[82] cat test
cat: test: Permission denied

Casper> If the client performs the checks locally (wrong!) then you will only
Casper> get the standard permissions.

Casper> With NFSv3, client should call the NFS3_ACCESS function;
Casper> with NFSV2, there's really no way to do this without trying operations
Casper> over the wire (which isn't possible with, e.g., access(2))

Quote:>> Have anybody an idea what the problem may be? Does the NFS-client or
>> the the NFS-Server check the file permissions? If the server
>> checks the permissions then the linux client doesn't need to know
>> anything about the ACLs and it should work.

Casper> In principle it's the server that should be doing the checking;
Casper> the Linux NFS clietns may be doing checks of its own.

Casper> Casper
Casper> --
Casper> Expressed in this posting are my opinions.  They are in no way related
Casper> to opinions held by my employer, Sun Microsystems.
Casper> Statements on Sun products included here are not gospel and may
Casper> be fiction rather than truth.

Uwe.

--
----------------------------------------------------------------
Dipl.-Inform. Uwe Dirksen
Lehrstuhl fuer Umformtechnik (LFU), Universit?t Dortmund
Baroper Str. 301,                   44221 Dortmund
Tel: ++49 231 755-2605        Fax: ++49 231 755-2489

http://www.lfu.mb.uni-dortmund.de

 
 
 

Q: NFS and permissions

Post by Casper H.S. Dik - Network Security Engine » Thu, 02 Mar 2000 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


>mount -t nfs -o vers=2 lucida:/var/log/acl-test /mnt/nfs
>feynman:/mnt/nfs:dirksen[82] cat test
>cat: test: Permission denied

The linux client shouldn't perform the checks locally.

Since you have the source, you can remove the checks.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

1. Mailing to NFS mail Qs

Paul> I am attempting to setup several SPARC 10s (running 2.3) am have had some
Paul> trouble getting sendmail to work as desired.  I have a central mailhost where
Paul> all incoming mail goes to, and which is NFS mount around to each client
Paul> machine (on /var/mail/<user>).  This allows everyone to read their from any
Paul> machine, but doesn't let them receive mail directly addressed to this each
Paul> machine.  I have setup this approach on other UNIX machines without trouble,
Paul> but the 2.X sendmail won't deliver mail to an NFS mounted file.  If this is a
Paul> regular file (or is absent) then mail is delivered, but not if NFS is involved.
Paul> Anyone attempting something similar?  I have things kludged with aliases
Paul> right now, but would really prefer the local mailers to deliver the mail rather
Paul> than passing off it off to the mailhost (alias kludge).  Any ideas?

One kludge which would be easier to maintain would be to set up MX records
for all of the machines so that the mailhost is listed as the mail exchanger.
This way, all mail would go to the mailhost and you wouldn't have to update
aliases for new users, etc.

This may sound silly, but have you made sure that the files are exported
(and mounted) read-write?  I am using automount here and don't seem to
have problems mounting my mail spools.  (server=2.2, client=2.3)

Good luck and keep us posted.

--
                           matthew liggett

       part-time sysadmin, full-time slacker, perpetual student

2. ISO system infromation script/program.

3. NFS server on HP-UX 10.20 & NFS client on RH-5.2 : write permission ???

4. Threads programming issue

5. HELP NFS permission denied on NFS mount point

6. Linux <-> Windows RSH interoperability problem

7. Matrox Mystique ands X.

8. IBM hotplug PCI, many missing __init's

9. NFS, NIS and file permissions

10. Permission check for devices on NFS fs broken (Solaris 2.2)?

11. NFS client gets "permission denied"

12. NFS permission denied

13. nfs and the "permission denied"