[ale] root_squash on backup server
John Heim
john at johnheim.net
Tue Oct 1 17:38:27 EDT 2013
My department got some space on a file server at another department. I
can access it via an NFS mount. BBut I guess the root_squash option is
set for the share because all the files I create are owned by
nobody:root and I can't change the ownership. I want to use this space
for amanda virtual tapes. Amanda doesn't want to run as user root.
So I'm thinking of asking the other department to turn off root_squash
(set no_root_squash option for the share). But I don't want to look like
a dope so I want to make sure I'm right about one thing ... It doesn't
make my data any less secure, right? Here's my reasoning:
I can create files only as nobody:root anyway. The share is restricted
by IP to just one machine. But if somebody gets past that (by spoofing
the IP address or whatever) and mounts the share, they'd have the same
access as I do when I'm using the share legitimately. That is true
regardless of whether the root_squash or no_root_squash option is set.
If there were other users besides root creating files on the share it
would be different. You don't want john getting access to mary's files
by just becoming root on his own machine. John could plug his laptop
into the network, su to root, mount mary's home directory, and read her
files. The root_squash option prevents that but it doesn't apply in the
case of a backup server, right? If somebody gets past the IP
restriction, they'd ahve the same access regardless of whether whether
root is squashed. (I think.)
I think I'm going to have to figure out how to encrypt data written to
a amanda virtual tape. But that's a question for the amanda list.
More information about the Ale
mailing list