NFS shared directory permission (rhel6)
夜神 岩男
supergiantpotato at yahoo.co.jp
Tue Aug 2 17:32:00 UTC 2011
On 08/03/2011 02:05 AM, Tom H wrote:
> NFSv4 works without Kerberos or LDAP/NIS/NIS+.
Of course it does, but can the permissions be exported per user by
UID/GID mask or are the exports still blanket ro/rw (which is the real
point of this thread)? Further, can you escape from the nfs_mount_t
context and give native SELinux contexts to the export on the client
side with this setup?
(That would be really cooking from one perspective, but also pretty
insecure without authentication -- which is why I had always been under
the impression that this was specifically forbidden.)
> The username and idmapd domain have to match (perhaps the UID too but
> I've never tried different UIDs as you suggest above and the
> description of idmapd does say that the ID is sent as
> username at domain).
That would be neat.
Can you direct me to a sample idmapd configuration that achieves this:
rpc.idmapd + hostname-declared domains that are common (does DNS need to
be enabled for this?) + /etc/passwd and /etc/group files + NFSv4 UIDs
and GIDs accurately mapped for permissions across exports (not just ro
or blanket rw).
It could fill in some holes and perhaps I've just never been able to
find the right way to make idmapd domains stick with SELinux enabled
without using some form of authentication. Is sssd or nslcd or nscd
required somewhere in there, or do these just satisfy Kerberos requirements?
If I can get a configuration like this working it would help the OP in
the short run, and provide more insight for the tutorial I want to write.
-Iwao
More information about the users
mailing list