Operating System - HP-UX
1748002 Members
4285 Online
108757 Solutions
New Discussion юеВ

Re: NFS server's option anon=-1

 
Ramesh Velu
Occasional Contributor

NFS server's option anon=-1

I am tring to understand the behaviour of exporting a directory with anon=-1 option on the NFS client. Interestingly, I found the anonymous user ( the user who exist in NFS client, but not in NFS server ) has still got the others permission to the files/directories which are exported with anon=-1 option. Is it the normal behaviour? If it is normal behaviour, what should I do to restrict the all access to the anonymous user in the NFS client?
4 REPLIES 4
Santosh Nair_1
Honored Contributor

Re: NFS server's option anon=-1

The anon option is usually set to -2, i.e. the user nobody. From the passwd(4) man page:

The uid of -2 is reserved for remote root access by means of NFS. The pw_name usually given to this uid is nobody. Since uids are stored as signed values, the following define is included in to match the user nobody.

UID_NOBODY (-2)

Since you set anon to -1, which has no special meaning so this is just a normal user.

-Santosh
Life is what's happening while you're busy making other plans
Wim Rombauts
Honored Contributor

Re: NFS server's option anon=-1

Using the "annon=" option in exporting filesystems, tells the NFS server what to do with unknown users (unknown UID's).
Using -anon=65534 or -anon=-2 tells the NFS server that unknown users (as well as a remote root) uses the specified UID on the local system. The numbers I have given are for user nobody. You could create a specific user with whatever UID you choose and tell the NFS server to use that UID when an unknown remote UID tries to access the exported filesystem. You can give that specific user specific access to your filesystem or directories/files in the filesystem.
Marc Ahrendt
Super Advisor

Re: NFS server's option anon=-1

i thought anon=-1 means if the user is not known to the server then do not allow that user access to the exported file system, while anon=-2 means if the user is not known to the server then the server treats the user as the "nobody" user
hola
linuxfan
Honored Contributor

Re: NFS server's option anon=-1

Hi Ramesh,

From the man page for exportfs

/Begin/
anon=uid If a request comes from an unknown user, use uid as the effective user ID.

Root users (user ID 0) are always treated as user unknown by the NFS server unless they are included in the root option below.

If the client is a UNIX system, only root users are considered unknown. All other users are recognized even if they are not in /etc/passwd.

The default value for uid is the user ID of user nobody. If user nobody does not exist, the value -2 is used. Setting the value of anon to -1 disables anonymous access.

/End/

So if you set anon to -1 it prevents access to root on clients (unless specified using the root option in /etc/exports) and also prevents access to users not defined on the server.

-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates