HPE Community
Operating System - HP-UX
1833875 Members
1701 Online
110063 Solutions
New Discussion

Re: NFS permissions

 
Gene Horodecki
New Member

‎11-18-2008 03:22 PM

‎11-18-2008 03:22 PM

NFS permissions

We have two servers, A and B. We control server B. On this server we want to share a few filesystems via NFS with server A. The customer has full control of server A and we do not have access to it. The user has access to server B but only to regulay user accounts. We control root on B.

How do we do the following with HP-UX NFS:
- create a filesystem on B that is exported to A, but control what user/group on B owns the files. All files shared on B should always be owned by a specific user/group that we control.

Thanks.
0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

‎11-18-2008 05:05 PM

‎11-18-2008 05:05 PM

Re: NFS permissions

>but control what user/group on B owns the files. All files shared on B should always be owned by a specific user/group that we control.

The customer on A can/will have full access to every file on the exported filesystem, provided he has root to create matching UIDs. If mounted R/W, then he can do that too.

So who/what are you trying to protect? Is the customer working with or against you?
0 Kudos
Reply
Gene Horodecki
New Member

‎11-19-2008 12:11 PM

‎11-19-2008 12:11 PM

Re: NFS permissions

The customer has been known to 'cut corners' I will say. We do not want the customer to be able to create files on server B with an arbitrary UID ownership.

Let's say they have access to UID 500 and 501 on server B. We do not want them to be able to create a user with UID 500 on server A and be able to write it, which would technically give ownership to the ID they control on server B.

We want to force all files in the export on server B to be owned by UID 499, lets say.

I believe on Linux one would use the 'all_squash' option which would force all files to be handled as if the user is anonymous, and NFS would set file ownership to a configured value. How would this be done on HP-UX?
0 Kudos
Reply
Tingli
Esteemed Contributor

‎11-19-2008 12:54 PM

‎11-19-2008 12:54 PM

Re: NFS permissions

Create the directory in B owned by 499, then have it exported. Then in A, the mounted file system will be owned by 499 user too.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-19-2008 01:35 PM

‎11-19-2008 01:35 PM

Re: NFS permissions

>We do not want the customer to be able to create files on server B with an arbitrary UID ownership.

They can't. They can create it with a specific UID, limited by user and group security.

>I believe on Linux one would use the 'all_squash' option which would force all files to be handled as if the user is anonymous, and NFS would set file ownership to a configured value.

HP-UX exportfs has: anon=uid
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.