From owner-freebsd-net@freebsd.org Fri Apr 15 23:35:12 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89420B107FF for ; Fri, 15 Apr 2016 23:35:12 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 3DA891141 for ; Fri, 15 Apr 2016 23:35:11 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:fklouxbF2vo/KXgJB5+FexH/LSx+4OfEezUN459isYplN5qZpM2/bnLW6fgltlLVR4KTs6sC0LqG9f2wEjZeqb+681k8M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJPK/jvHcaK1oLsh7D0ps2YOVsArQH+SI0xBS3+lR/WuMgSjNkqAYcK4TyNnEF1ff9Lz3hjP1OZkkW0zM6x+Jl+73YY4Kp5pIYTGZj8ZLkyGLxEECw9YSdy4MzwqQKFQxGC63EHXiMRiBUPBgHE6BTzWND1szDmt+xz326UJ8D7R6s4HDKv8/RXT0rSgSYCKjg19ynsg8psi7kT9AiopgByyI78b4ScNf44daTYK4A0X21EC/xQXC8JJ4q3bI8CCqJVJ+NRpIr5ql4msByxGASoHOOpwTYe1Sy+5rEzz+l0SVKO5wcnBd9b6Hk= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DQAQADehFX/61jaINdhAt9BroWAQ2BcRcLhSJKAoFrFAEBAQEBAQEBZCeCLYIUAQEBAwEBAQEgBCcgCwUHBAIBCA4KAgINGQICJwEJJgIECAcEARwEiAAIDrAjkggBAQEBAQEEAQEBAQEBAQEUBHyFJYF9gk6EIAEBBYMYglYFh3aFXIo6hXiFLIRRh3eFM48nAh4BAUKCBBqBZiAwB4gQNn4BAQE X-IronPort-AV: E=Sophos;i="5.24,489,1454994000"; d="scan'208";a="278152414" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 15 Apr 2016 19:35:04 -0400 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 65F4815F58D; Fri, 15 Apr 2016 19:35:04 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id LkjLrX24X9im; Fri, 15 Apr 2016 19:35:03 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id AD1E615F58E; Fri, 15 Apr 2016 19:35:03 -0400 (EDT) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rc7fZabO1ch6; Fri, 15 Apr 2016 19:35:03 -0400 (EDT) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 8914C15F58D; Fri, 15 Apr 2016 19:35:03 -0400 (EDT) Date: Fri, 15 Apr 2016 19:35:03 -0400 (EDT) From: Rick Macklem To: Raimundo Santos Cc: freebsd-net@freebsd.org Message-ID: <1343714271.65108200.1460763303481.JavaMail.zimbra@uoguelph.ca> In-Reply-To: References: <960500313.65065742.1460758987017.JavaMail.zimbra@uoguelph.ca> Subject: Re: Why anyone can read and write to a nobody NFS mounted volume? MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF18 (Linux)/8.0.9_GA_6191) Thread-Topic: Why anyone can read and write to a nobody NFS mounted volume? Thread-Index: e5TEXDDOcNPkWnsrTKmNselPnQ5JjQ== X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2016 23:35:12 -0000 Raimundo Santos wrote: > Thank you for your time, Rick! > > I will take a look on the permissions of the dirs I am mounting from the > server, but you clarified a big thing for me: it is up to the server > machine to decide about permissions. > > Am I right? > Generally yes. (Typically an NFS client does an Access RPC to check permissions with the server.) One exception to normal checking is that most NFS servers allow the owner all permissions despite the mode and acl settings. This is mainly because NFS doesn't do a POSIX Open and checks permissions on every read/write (whereas POSIX checks at Open only). As such, a POSIX app. expects to be able to Open/Create a file for writing although the mode it sets on the file is read-only. rick > Thank you, > Raimundo Santos > > On 15 April 2016 at 19:23, Rick Macklem wrote: > > > Well, I suppose it is up to the server implementor. (In your case > > Seagate...) > > Normally NFS servers map root->nobody by default, under the assumption that > > "nobody" is not a real user and is checked via world permissions. > > --> I'd say a typical server would allow anyone (including "nobody" access) > > if the file's mode includes world "rw". > > > > But none of this is defined in any of the NFS RFCs as far as I recall (the > > RFCs basically define what goes on the wire), so I think it is up to the > > server implementor. > > --> If the file doesn't have world permissions, then I would consider this > > atypical and you might want to check with the server implementor in > > case > > this is configurable? > > > > Now, if you are using NFSv4 and uid<->user mapping isn't set up correctly, > > any uid/gid that can't be mapped to another name will go on the wire to the > > server as "nobody" (and "nogroup" if I recall it correctly). So, you might > > want to "nfsstat -m" on the client to see if you are using NFSv3 or NFSv4 > > and try NFSv3 if it isn't already what you are using. > > > > rick > > > > ----- Original Message ----- > > > Hello all! > > > > > > i have a strange situation: everyone and not just root can read and write > > > to a NFS mount point whose owner is nobody:nobody. > > > > > > Is this an expected behaviour? > > > > > > FreeBSD 10.2 RELEASE as NFS client. > > > Seagate NAS400 as NFS server. > > > > > > Thank you all, > > > Raimundo Santos > > > _______________________________________________ > > > freebsd-net@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >