프로그램 사용/nfs2010. 2. 11. 14:45
현재 TCP를 통해 NFS가 부팅을 못하는게 이거 문제는 아닌것 같지만
아무튼, 보안관련 설정으로 squash 라는 것이 있다.

No root-squash means that the root user will not be mapped to user nobody (this is normally done for security reasons) when mounting / accessing a NFS file system.

[링크 : http://communities.vmware.com/thread/105011]

no-root-squash        루트의 자격으로 파일시스템에 접근할 수 있도록 마운트
     root-squash        루트의 자격으로 파일시스템에 접근하면 anonymous uid/gid로 바꿔서 허가

[링크 : http://mnslaboratory.springnote.com/pages/952932.xhtml]

User ID Mapping

nfsd bases its access control to files on the server machine on the uid and gid provided in each NFS RPC request. The normal behavior a user would expect is that she can access her files on the server just as she would on a normal file system. This requires that the same uids and gids are used on the client and the server machine. This is not always true, nor is it always desirable.

Very often, it is not desirable that the root user on a client machine is also treated as root when accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-called anonymous or nobody uid. This mode of operation (called 'root squashing') is the default, and can be turned off with no_root_squash.

By default, exportfs chooses a uid and gid of 65534 for squashed access. These values can also be overridden by the anonuid and anongid options. Finally, you can map all user requests to the anonymous uid by specifying the all_squash option.

Here's the complete list of mapping options:

root_squash
Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids that might be equally sensitive, such as user bin.
no_root_squash
Turn off root squashing. This option is mainly useful for diskless clients.
all_squash
Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories, news spool directories, etc. The opposite option is no_all_squash, which is the default setting.
anonuid and anongid
These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe).

[링크 : http://linux.die.net/man/5/exports]

7.4. I do not have permission to access files on the mounted volume.

This could be one of two problems.

If it is a write permission problem, check the export options on the server by looking at /proc/fs/nfs/exports and make sure the filesystem is not exported read-only. If it is you will need to re-export it read/write (don't forget to run exportfs -ra after editing /etc/exports). Also, check /proc/mounts and make sure the volume is mounted read/write (although if it is mounted read-only you ought to get a more specific error message). If not then you need to re-mount with the rw option.

The second problem has to do with username mappings, and is different depending on whether you are trying to do this as root or as a non-root user.

If you are not root, then usernames may not be in sync on the client and the server. Type id [user] on both the client and the server and make sure they give the same UID number. If they don't then you are having problems with NIS, NIS+, rsync, or whatever system you use to sync usernames. Check group names to make sure that they match as well. Also, make sure you are not exporting with the all_squash option. If the user names match then the user has a more general permissions problem unrelated to NFS.

If you are root, then you are probably not exporting with the no_root_squash option; check /proc/fs/nfs/exports or /var/lib/nfs/xtab on the server and make sure the option is listed. In general, being able to write to the NFS server as root is a bad idea unless you have an urgent need -- which is why Linux NFS prevents it by default. See Section 6 for details.

If you have root squashing, you want to keep it, and you're only trying to get root to have the same permissions on the file that the user nobody should have, then remember that it is the server that determines which uid root gets mapped to. By default, the server uses the UID and GID of nobody in the /etc/passwd file, but this can also be overridden with the anonuid and anongid options in the /etc/exports file. Make sure that the client and the server agree about which UID nobody gets mapped to.

[링크 : http://www.higs.net/85256C89006A03D2/web/PageLinuxNFSTroubleshooting]

root_sqash
     uid/gid 0(uid0와 gid0는 user root와 group root의 값이다)를 익명 uid/gid로 연결하기를 요청한다.
     사용자 'bin'과 같이 민감한 uid에는 적용되지 않음을 유의하라.
no_root_squash
     root squash를 사용하지 않음. 이 옵션은 디스크가 없는 클라이언트(MTD device)에 주로 사용됨.
all_squash
     모든 uid/gid를 익명 uid/gid로 연결함. NFS 로 연결된 공개(익명?) FTP 에 유용함.
     반대 옵션은 no_all_squash이며 기본값임.

기본값
root_squash / no_all_squash
root 계정을 익명(기본값으로 uid:65534/gid:65534로 연결)으로 사용하며, 모든 아이디를 익명으로 연결하지 않음
= 개별 uid/pid를 사용함.

'프로그램 사용 > nfs' 카테고리의 다른 글

changing port of NFS daemons (Installing STLinux On VMWare)  (0) 2010.02.12
NFS 관련  (0) 2010.02.11
unfsd - udev nfs deamon  (2) 2010.02.08
nfsstat  (0) 2010.02.07
우분투에서 nfs로 uboot 부팅이 안돼요 2  (0) 2010.02.06
Posted by 구차니