1

I have created a NFS export in a GPFS/SpectrumScale filesystem I created. I have enabled AD based authentication with our domain. Everything works. The NFS export was created with NFS4.

The NFS export is mounted on some linux VMs. The problem is that when a user runs sudo they can access all the folders and change permissions on files/folders regardless of what the ACL allows.

Is there a way to prevent root from overriding the ACL?

In GPFS I set the NFS export with ROOT_SQUASH thinking that would do it but I am still able to change permissions when I sudo with a test account that does not have domain admin rights.

mrbarker
  • 137
  • 10

2 Answers2

0

Well, technically, if you do not enforce stronger security, then NFS by default will use auth_sys, where client simply tells NFS server which UID and GID to use, IOW no security. The best way to solve this issue is to export with sec=krb5 and enforce RPCSEC_GSS. You already have AD, which is kerberos server with LDAP. Check this link to see how to configure client and servers

kofemann
  • 4,626
  • 1
  • 25
  • 30
0

It appears that ROOT_SQUASH hadn't yet propagated out. I ran the following command a bit later and saw ROOT_SQUASH in the results:

mmnfs export list --nfsdefs /comp/zixf401/NFS

I then logged out of the Linux VM I was testing the NFS mount on and logged back in. After running the sudo su command and then attempting to chmod 770 one of the folders in the NFS mount, I received a not permitted message as I had hoped for.

mrbarker
  • 137
  • 10