Date: Fri, 15 Apr 2016 19:35:03 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: Raimundo Santos <raitech@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Why anyone can read and write to a nobody NFS mounted volume? Message-ID: <1343714271.65108200.1460763303481.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <CAGQ6iC8NFKGAuw0Hv%2BU9_qt01cFB2-8QPp5wb1PrRWzvf9qJMQ@mail.gmail.com> References: <CAGQ6iC9eOUke4nL7Tktcq0=gj6VOXULEq_ruSys859od%2Bd1tTw@mail.gmail.com> <960500313.65065742.1460758987017.JavaMail.zimbra@uoguelph.ca> <CAGQ6iC8NFKGAuw0Hv%2BU9_qt01cFB2-8QPp5wb1PrRWzvf9qJMQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Raimundo Santos wrote: > Thank you for your time, Rick! > > I will take a look on the permissions of the dirs I am mounting from the > server, but you clarified a big thing for me: it is up to the server > machine to decide about permissions. > > Am I right? > Generally yes. (Typically an NFS client does an Access RPC to check permissions with the server.) One exception to normal checking is that most NFS servers allow the owner all permissions despite the mode and acl settings. This is mainly because NFS doesn't do a POSIX Open and checks permissions on every read/write (whereas POSIX checks at Open only). As such, a POSIX app. expects to be able to Open/Create a file for writing although the mode it sets on the file is read-only. rick > Thank you, > Raimundo Santos > > On 15 April 2016 at 19:23, Rick Macklem <rmacklem@uoguelph.ca> wrote: > > > Well, I suppose it is up to the server implementor. (In your case > > Seagate...) > > Normally NFS servers map root->nobody by default, under the assumption that > > "nobody" is not a real user and is checked via world permissions. > > --> I'd say a typical server would allow anyone (including "nobody" access) > > if the file's mode includes world "rw". > > > > But none of this is defined in any of the NFS RFCs as far as I recall (the > > RFCs basically define what goes on the wire), so I think it is up to the > > server implementor. > > --> If the file doesn't have world permissions, then I would consider this > > atypical and you might want to check with the server implementor in > > case > > this is configurable? > > > > Now, if you are using NFSv4 and uid<->user mapping isn't set up correctly, > > any uid/gid that can't be mapped to another name will go on the wire to the > > server as "nobody" (and "nogroup" if I recall it correctly). So, you might > > want to "nfsstat -m" on the client to see if you are using NFSv3 or NFSv4 > > and try NFSv3 if it isn't already what you are using. > > > > rick > > > > ----- Original Message ----- > > > Hello all! > > > > > > i have a strange situation: everyone and not just root can read and write > > > to a NFS mount point whose owner is nobody:nobody. > > > > > > Is this an expected behaviour? > > > > > > FreeBSD 10.2 RELEASE as NFS client. > > > Seagate NAS400 as NFS server. > > > > > > Thank you all, > > > Raimundo Santos > > > _______________________________________________ > > > freebsd-net@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1343714271.65108200.1460763303481.JavaMail.zimbra>