|
|
A privileged user on a client machine may be denied privileged user access to mounted remote resources unless the appropriate option is specified when the resource is shared by the server. Otherwise, when a user logged in as root on one host requests access to a remote file shared through NFS, the user's ID is changed from 0 to the user ID of the username nobody. The access rights of user nobody are the same as those given to the public for a particular file. For example, if the public only has execute permission for a file, then user nobody can only execute that file.
When you share a resource, you can permit root on a particular
machine to have root access to that resource
by editing /etc/dfs/dfstab on the server or by specifying the
appropriate options on the command line. For example, suppose you want
the machine ``samba'' (but no others) to have privileged user access to
the shared directory /usr/src. You enter the following command
in /etc/dfs/dfstab or on the command line.
share -F nfs -o root=samba /usr/src
If you want more than one client to have root access, you can
specify each in a colon-separated list, as follows:
share -F nfs -o root=samba:raks:jazz /usr/src
If you want all client processes with user ID 0 to have
privileged user access to /usr/src, you enter
share -F nfs -o anon=0 /usr/src
anon is short for ``anonymous.'' Anonymous requests, by default, get their user ID changed from its previous value (whatever it may be) to the user ID of username nobody. NFS servers label as anonymous any request from a root user (user ID is 0) who is not in the list following the root= option in the share command. The command tells the kernel to use the value 0 for anonymous requests. The result is that all root users retain their user ID of 0.