You're nobody until ...

Before we go any further with this, it's good to start with an important caution. Any type of "trust" between root on one server and root on another represents a security risk. If one server trusts another, any type of compromise on the trusted system can be perpetuated on the trusting server. So, we should use a good dose of caution before we modify the normal not-so-trusting nature of a service such as NFS.

If a file system from one file server is mounted on another in such a way that root on the mounting system is given the full authority of root on the server sharing the drive, then anyone acquiring root access on the server mounting the file system has as much authority over the file system's content as root on the sharing server. When you really need this type of full control from a number of systems, it's available to you and often a better approach than having the contents of the shared file system being shared in such a way that ordinary users have full access to the files.

You can give root on trusted servers full access to file systems they are mounting by sharing those files systems with the root= option as shown here:

share -F nfs -o rw,root=trust1:trust2:trust3 /shared_dir

If you don't provide root trust, root on the systems mounting the shared volume will be treated as the unprivileged "nobody".

How ownership of files on mounted volumes appears depends on another setting. The last line in the /etc/default/nfs file sets up a variable called NFSMAPID_DOMAIN or, by default, assigns the domain to your DNS domain. This setting should be the same across the systems sharing file systems. Instead of "#NFSMAPID_DOMAIN=domain", you might have "NFSMAPID_DOMAIN=dynamic". If all of the files in your mounted file systems appear to be owned by nobody/nobody, look into this setting. Instead of this:

boson# ls -l /mnt2
total 2
-rw-r--r--   1 nobody   nobody      2412 Aug 25 19:01 file2
-r--r--r--   1 nobody   nobody       372 Aug 25 19:09 accts

You probably want to see this:

boson# ls -l /mnt2
total 2
-rw-r--r--   1 root     root        2412 Aug 25 19:01 file2
-r--r--r--   1 gizmo    staff        372 Aug 25 19:09 accts

Changes in NFS settings of this sort seem to take a while to propagate, so don't be surprised if you're find yourself starting at "nobody nobody", call your coworker to take a look and, by the time s/he appears, see "root root" on your screen.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies