From owner-freebsd-net@freebsd.org  Fri Apr 15 23:21:17 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD5D0B10410
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 15 Apr 2016 23:21:17 +0000 (UTC)
 (envelope-from raitech@gmail.com)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com
 [IPv6:2607:f8b0:4003:c06::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9D19F19A2
 for <freebsd-net@freebsd.org>; Fri, 15 Apr 2016 23:21:17 +0000 (UTC)
 (envelope-from raitech@gmail.com)
Received: by mail-oi0-x234.google.com with SMTP id y204so138648132oie.3
 for <freebsd-net@freebsd.org>; Fri, 15 Apr 2016 16:21:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=mcu4f6RtjFExuu1IP7KkDjvCLtrWtt0VQPZ2H2NUffY=;
 b=eZYqqX+N1WY/kdN2uP3RXhhCnr2w/ubBMcT4AgxdTB9uv/jLnex8TD4NL7Lsdq251K
 r3m+cSa6vWwnr5dLjL3xyXQ91iXcvDt83k3oPu26gxiTXPDYZjWY3HYp5f9pfb6ZQzmn
 dgZsU8SQ8teyyRV4iP4i4PG/MIxxcuhygTmb/C9DB10dkwkNw8GJzYzMqlkkgl374Xlw
 NRBm54OUrI7BSlF9RpBrZaXxLV+asuEwNNWvwgpE4HYSEz7jOLzrM36CKiJ/0GImHegD
 MidsGWcLM34ob+qhONOgSPpuTYJ0dDaVbtwKaxj87gnmPu2LvwZxKqyyskSSUuh0FnyI
 xRqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=mcu4f6RtjFExuu1IP7KkDjvCLtrWtt0VQPZ2H2NUffY=;
 b=VX5zWlGEiX3yVB9T5ieF7l3mH8CTgq0llchXv+yfWgSkORFeEiUXUxx1xpa5ZHCD+N
 XBN7z7lmCnkhlKooign1jqkEBvE5GtWbqYShhd/TDy6Rmm/4gVhffwF/7xezqW++T611
 WefZmv62j8HZqv8hzIC9OmGA6GLz2zlw/RoR8cYDsYrJrt5nn2d80Xp+JUG4w/0P1BKG
 MzDUPiJGEdBTKu51quQSw61cX+nFYjyCt8d8C60wIH741JDFkngajocN1ILeb4KGxfSm
 XqLA2y0e8jT7e1xkCWA1bfsOy+/lpfkOM8Fgjd+RSXAWtyymNX/p5pHb9tdsD2md56eV
 80Fw==
X-Gm-Message-State: AOPr4FVbvGK7Yk+cB6S0BmAwpiovWzoet6AUT1YwGJghiAFPqftTEH8TkE8hJz7IaopLdWZHio0r2Ggz/R8TmQ==
X-Received: by 10.157.33.76 with SMTP id l12mr1739508otd.32.1460762476624;
 Fri, 15 Apr 2016 16:21:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.57.131 with HTTP; Fri, 15 Apr 2016 16:20:57 -0700 (PDT)
In-Reply-To: <960500313.65065742.1460758987017.JavaMail.zimbra@uoguelph.ca>
References: <CAGQ6iC9eOUke4nL7Tktcq0=gj6VOXULEq_ruSys859od+d1tTw@mail.gmail.com>
 <960500313.65065742.1460758987017.JavaMail.zimbra@uoguelph.ca>
From: Raimundo Santos <raitech@gmail.com>
Date: Fri, 15 Apr 2016 20:20:57 -0300
Message-ID: <CAGQ6iC8NFKGAuw0Hv+U9_qt01cFB2-8QPp5wb1PrRWzvf9qJMQ@mail.gmail.com>
Subject: Re: Why anyone can read and write to a nobody NFS mounted volume?
To: Rick Macklem <rmacklem@uoguelph.ca>
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.21
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 23:21:17 -0000

Thank you for your time, Rick!

I will take a look on the permissions of the dirs I am mounting from the
server, but you clarified a big thing for me: it is up to the server
machine to decide about permissions.

Am I right?

Thank you,
Raimundo Santos

On 15 April 2016 at 19:23, Rick Macklem <rmacklem@uoguelph.ca> wrote:

> Well, I suppose it is up to the server implementor. (In your case
> Seagate...)
> Normally NFS servers map root->nobody by default, under the assumption that
> "nobody" is not a real user and is checked via world permissions.
> --> I'd say a typical server would allow anyone (including "nobody" access)
>     if the file's mode includes world "rw".
>
> But none of this is defined in any of the NFS RFCs as far as I recall (the
> RFCs basically define what goes on the wire), so I think it is up to the
> server implementor.
> --> If the file doesn't have world permissions, then I would consider this
>     atypical and you might want to check with the server implementor in
> case
>     this is configurable?
>
> Now, if you are using NFSv4 and uid<->user mapping isn't set up correctly,
> any uid/gid that can't be mapped to another name will go on the wire to the
> server as "nobody" (and "nogroup" if I recall it correctly). So, you might
> want to "nfsstat -m" on the client to see if you are using NFSv3 or NFSv4
> and try NFSv3 if it isn't already what you are using.
>
> rick
>
> ----- Original Message -----
> > Hello all!
> >
> > i have a strange situation: everyone and not just root can read and write
> > to a NFS mount point whose owner is nobody:nobody.
> >
> > Is this an expected behaviour?
> >
> > FreeBSD 10.2 RELEASE as NFS client.
> > Seagate NAS400 as NFS server.
> >
> > Thank you all,
> > Raimundo Santos
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> >
>