HPE Community
Operating System - Linux
1822036 Members
3451 Online
109639 Solutions
New Discussion юеВ

Re: root_squash

 
SOLVED
Go to solution
'chris'
Super Advisor

тАО05-07-2009 04:30 AM

тАО05-07-2009 04:30 AM

root_squash

hi

can someone explain pls root_squash parameter from Network File System (NFS)?
0 Kudos
Reply
7 REPLIES 7
Jozef_Novak
Respected Contributor

тАО05-07-2009 04:48 AM

тАО05-07-2009 04:48 AM

Solution

Re: root_squash

Hi Chris,

IMHO this parameter determines whether root user is allowed to access a NFS-shared filesystem.

J.
Reply
avizen9
Esteemed Contributor

тАО05-07-2009 05:34 AM

тАО05-07-2009 05:34 AM

Re: root_squash

Hello,

root_squash - Requests from root clients are mapped to the nobody user and group ID so they will only have file privileges associated with other

Please also check below for more details info

http://www.linuxsecurity.com/content/view/117705/171/
Reply
'chris'
Super Advisor

тАО05-07-2009 06:20 AM

тАО05-07-2009 06:20 AM

Re: root_squash

my /etc/exports from nfs server is:

/nfs/box 192.168.0.0/24(rw,no_wdelay,root_squash,insecure_locks,anonuid=1025,anongid=100)

I mount from the nfs client without problems.
But if I have in /etc/exports root_squash on the server than I cannot write via nfs client on the nfs server.
If I change to no_root_squash then I can write.
What's the problem?
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО05-07-2009 10:12 AM

тАО05-07-2009 10:12 AM

Re: root_squash

If root_squash is enabled and the root user of the NFS client host is accessing the NFS-mounted filesystem, the NFS server will re-map the root's identity to "nobody" (traditional), "nfsnobody" (on some Linux distributions and/or types of Unix) or the user identified with the anonuid and anongid options. In other words, the client-side root privilege is "squashed" away. Only the root of the NFS server has true root-level access on the shared disk.

This is a security feature. If the NFS server shares a filesystem that contains executables (e.g. /usr) and an unauthorized person gets root access on the NFS client host, without the root_squash feature the user could replace any binary in the server's filesystem with a SUID root binary of his/her own design.
If s/he can then make any user (or even a cron job) on the server to run his/her tampered executable, that executable can easily give him/her unauthorized root access on the server too.

MK
MK
Reply
Court Campbell
Honored Contributor

тАО05-07-2009 10:54 AM

тАО05-07-2009 10:54 AM

Re: root_squash

Since this has already been answered, I can tell you what it's not. It definitely is not a vegetable eaten during NFS file transfers.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО05-07-2009 04:39 PM

тАО05-07-2009 04:39 PM

Re: root_squash

Shalom,

My understanding is root_squash controls whether root can mount an NFS share as root or not.

By default as a security measure you can not mount an NFS share remotely as root. The reason is the local sharing system can not guarantee or know the security level of the client.

An insecure host could mount a share and the sharing system can be exploited.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Court Campbell
Honored Contributor

тАО05-11-2009 07:31 AM

тАО05-11-2009 07:31 AM

Re: root_squash

SEP, Matti is actually correct.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.