Using NFS on a server

Controlling access to shared resources

A privileged user on a client machine may be denied privileged user access to mounted remote resources unless the appropriate option is specified when the resource is shared by the server. Otherwise, when a user logged in as root on one host requests access to a remote file shared through NFS, the user's ID is changed from 0 to the user ID of the username nobody. The access rights of user nobody are the same as those given to the public for a particular file. For example, if the public only has execute permission for a file, then user nobody can only execute that file.

When you share a resource, you can permit root on a particular machine to have root access to that resource by editing /etc/dfs/dfstab on the server or by specifying the appropriate options on the command line. For example, suppose you want the machine ``samba'' (but no others) to have privileged user access to the shared directory /usr/src. You enter the following command in /etc/dfs/dfstab or on the command line.

share -F nfs -o root=samba /usr/src

If you want more than one client to have root access, you can specify each in a colon-separated list, as follows:

share -F nfs -o root=samba:raks:jazz /usr/src

If you want all client processes with user ID 0 to have privileged user access to /usr/src, you enter

share -F nfs -o anon=0 /usr/src

anon is short for ``anonymous.'' Anonymous requests, by default, get their user ID changed from its previous value (whatever it may be) to the user ID of username nobody. NFS servers label as anonymous any request from a root user (user ID is 0) who is not in the list following the root= option in the share command. The command tells the kernel to use the value 0 for anonymous requests. The result is that all root users retain their user ID of 0.

NOTE: Be careful when assigning root access since this will compromise your system's security.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004