[ale] root_squash on backup server
John Heim
john at johnheim.net
Wed Oct 2 09:20:39 EDT 2013
I don't think I'm going to be able to get the other department to create
a user for me. If I get them to set no_root_squash, I figured I could
change the ownership by just setting the uid and gid to whatever I need
it to be. I am not entirely sure you can change the ownership of files
on an NFS share to that of users not on the remote server but I would
think so. I know it owrks the other way to a degree. If you mount a
share that has files owned by users who are not on your system, it just
identifies them by uid and gid. So if you do an 'ls -l', you see the uid
and gid numbers there instead of the owner and group names.
I know you can change ownership of a file that is on your own system by
giving uid and gid, "chown 34:97 /home/john/bogus.txt". But I don't know
for sure if that would work over nfs. Well, actually, I'm thinking it
should work to say, "chown amadmin:amadmin /bigdisk/vtapes/slot01" where
the nfs share is mounted on /bigdisk because. amadmin is a recognized
user/group on my system. If you do an 'ls -l' on the nfs server, it
would show just numbers. (I think.)
On 10/01/13 17:34, Jim Kinney wrote:
> Hi John,
>
> You need root_squash on AND an amanda user with a matching UID/GID
> that owns the nfs share. That way amanda can read and write and root
> access is no needed.
>
> It may be required to run idmapd to translate between
> nfs-server:amanda and
> backup-system:amanda if the GIDs can't be made to match.
>
> If the network uses LDAP, then just create the amanda user in LDAP and
> should just work with root_squash on.
>
> The only headache is if at some point a low-level process that must
> run as root also needs to access the backup space. It just won't work
> unless you can copy files as amanda to another place as root. I got
> hit with this using bacula and a remote nfs share with root_squash on
> and a need to run low-level btape commands. it just wouldn't work.
> Root user was totally barred from accessing the space.
>
>
> On Tue, Oct 1, 2013 at 5:38 PM, John Heim <john at johnheim.net
> <mailto:john at johnheim.net>> wrote:
>
> My department got some space on a file server at another
> department. I can access it via an NFS mount. BBut I guess the
> root_squash option is set for the share because all the files I
> create are owned by nobody:root and I can't change the ownership.
> I want to use this space for amanda virtual tapes. Amanda doesn't
> want to run as user root.
>
> So I'm thinking of asking the other department to turn off
> root_squash (set no_root_squash option for the share). But I don't
> want to look like a dope so I want to make sure I'm right about
> one thing ... It doesn't make my data any less secure, right?
> Here's my reasoning:
>
> I can create files only as nobody:root anyway. The share is
> restricted by IP to just one machine. But if somebody gets past
> that (by spoofing the IP address or whatever) and mounts the
> share, they'd have the same access as I do when I'm using the
> share legitimately. That is true regardless of whether the
> root_squash or no_root_squash option is set.
>
> If there were other users besides root creating files on the share
> it would be different. You don't want john getting access to
> mary's files by just becoming root on his own machine. John could
> plug his laptop into the network, su to root, mount mary's home
> directory, and read her files. The root_squash option prevents
> that but it doesn't apply in the case of a backup server, right?
> If somebody gets past the IP restriction, they'd ahve the same
> access regardless of whether whether root is squashed. (I think.)
>
>
>
> I think I'm going to have to figure out how to encrypt data
> written to a amanda virtual tape. But that's a question for the
> amanda list.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org <mailto:Ale at ale.org>
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> --
> James P. Kinney III
> ////
> ////Every time you stop a school, you will have to build a jail. What
> you gain at one end you lose at the other. It's like feeding a dog on
> his own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> ////
> http://heretothereideas.blogspot.com/
> ////
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list