Friday, January 26, 2018

(no) root squash on open media vault.

to combat user access abuse with nfs protocols, there is a method called "squash" which takes care of making sure that accesses with can be mapped properly to correct ownership on the server end.

The NFS protocol embeds the path in the protocol in such a way that there can be mismatches from client to server.  Unix user id and group id numbers are used, and unless they are coordinated from end to end, a user accessed whatever user on the server that has is user number.

Also the special user, root, zero is especially dangerous, since access root owned files on the server might allow the client to modify privileged files.

The squash allows the server to do one of two actions.  To prevent write access to files on the server, the root_squash means that any root files written will be 'squashed' to the ownership and group of the configured 'nobody' user on the server.  One can have a root user on a client, create a file on a directory on the server, and that file will end up owned by the 'nobody' user preventing access to root privilege via that means.

"all_squash" allows all ids accessing the server for write to be forced to the guest nobody user.

The no_root_squash option disables the squash, and gives access in any way the client requests w/o any squashing.

The excerpt below has other options, but is clipped from the reference above.

Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff.
Turn off root squashing. This option is mainly useful for diskless clients.
Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories, news spool directories, etc. The opposite option is no_all_squash, which is the default setting.
anonuid and anongid
These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe).


# sample /etc/exports file
/               master(rw) trusty(rw,no_root_squash)
/projects       proj*.local.domain(rw)
/usr            *.local.domain(ro) @trusted(rw)
/home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
/pub            *(ro,insecure,all_squash)
/srv/www        -sync,rw server @trusted @external(ro)
/foo            2001:db8:9:e54::/64(rw)
/build          buildhost[0-9].local.domain(rw)


No comments:

Post a Comment