41

I'm trying to configure NFS between two RHEL7 nodes:

first node:

[root@ip-10-164-175-246 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 (Maipo)
[root@ip-10-164-175-246 ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.el7.x86_64
[root@ip-10-164-175-246 ~]# cat /etc/exports
/var/www/html/  ip-10-184-161-46.ec2.internal(rw)
[root@ip-10-164-175-246 ~]#

second node:

[root@ip-10-184-161-46 ~]# mount ip-10-164-175-246.ec2.internal:/var/www/html/ /mnt/
[root@ip-10-184-161-46 ~]# touch /mnt/$$
touch: cannot touch ‘/mnt/3326’: Permission denied
[root@ip-10-184-161-46 ~]#

Why can't I write anything to /mnt/ over NFS?

alexus
  • 13,112
  • 32
  • 117
  • 174
  • 2
    Try changing the `(rw)` in `/etc/exports` to `(rw,no_root_squash)`, doing an `exportfs -av` on the server, then remount the filesystem on the client and try again. – MadHatter Jul 08 '14 at 16:39

1 Answers1

53

Does your export utilize root_squash? From the CentOS docs:

root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=,anongid=), where is the user ID number and is the group ID number.

You'll need to add the flag no_root_squash to disable this, as it's on by default.

slm
  • 7,615
  • 16
  • 56
  • 76
Christopher Karel
  • 6,582
  • 1
  • 28
  • 34
  • 1
    Thanks, everything works as expected! I was missing `no_root_squash`, Thanks again! – alexus Jul 08 '14 at 16:52
  • 3
    I found that article on the RHEL websites: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Securing_NFS-Do_Not_Use_the_no_root_squash_Option.html . It seems it's not secure at all to use no_root_squash. What is the solution if we want to follow their recommendations? – Djidiouf May 20 '16 at 00:25
  • 1
    You'll basically want to give the 'nobody' user the ability to modify the appropriate files on the NFS mount. When the Root user is mapped (squashed) to nobody, it will still be able to modify them. Alternately, I believe NFSv4 allows you to define proper local/server account mappings. – Christopher Karel May 23 '16 at 20:48