Solaris NFS: user permissions

Solution 1

I would say that overall you are correct in understanding of NFS. Here are some details about the points that you mentioned:

An NFSv3 server only provides the file ownership and access permissions. It's up to the client to enforce those permissions for specific users (i.e. when a process with a specific UID is requesting and fs operation).

Even if you setup NFSv4 with encryption, Kerberos authorization, and LDAP (and Krb and LDAP servers are running of a different host) then the client's root will still have the potential for at least as much fs privileges as all the allowed users and groups. But you could get protection again non-root user activity and even other hosts on the private network.

Normally clients will be very successful at enforce the user permissions. I'm not aware of any simple method to have the file permission ignores for an NFS mount. If that's what you want then simply set the permissions to u=rwx,g=rwx,o=rwx for all folders and u=rw,g=rw,o=rw for all files.

Off topic:

But be careful not to flip the setuid bit - that can actually end-up giving a root shell to regular users (e.g. www-data) on your client. Setuid can be disable completely with the "-o nosuid" option for NFS and non-NFS mounts.

There is a way to disable/enable rootsquash for the Solaris sever (it's called something other than rootsquash in the Solaris terminology - I forgot what it was).

You can have the Solaris server mark the entire share as read only, e.g.:

zfs set sharenfs="[email protected]/16" tank/home/tabriz

Then no matter what the client does, the fs will not be writable.

It's probably not possible for a non-root user on your client to open a direct connection to the NFS server even if the the program can talk the NFS protocol. This is because the NFS client is usually forced to connect form privileged ports and on healthy clients only root can do that.

Solution 2

NFS security is enforced on the client.

NFS was created back in the day when anybody who would be connecting to the NFS share was within a trusted network. You really should not use NFS if there are any untrusted entities which may be able to send packets to the NFS service.

With that out of the way, NFS will usually default to rootsquash, which means that root on the client (uid 0) is interpreted as nobody (uid 65535) on the server.

Files on disk aren't really associated with a user (this is a general rule, not specific to NFS). They are associated with a uid. If the user alice has uid 100 on the NFS server and user bob has uid 100 on the NFS client then bob will be able to access alice's files. In fact, on the client all files will display as though they are owned by bob. That is, the NFS server merely presents raw metadata to the client. It's up to the client to interpret that however it sees fit.

NFS was not designed for security. Never use NFS on a network where there are untrusted parties.

Solution 3

Sharing the directory rw says that the server should allow anyone with suitable credentials to have read and write access to the directory and it's contents.

By changing the permissions on the directory and it's contents to 700 and the ownership to root/root you then effectively deny access to everyone. This is because by default the Solaris NFS maps the root user from client machines to nobody.

You can find the man page for Solars share_nfs here

Related videos on Youtube