[zfs-discuss] How to stop NFS files being world-writable

Adam Nielsen a.nielsen at shikadi.net
Sat Nov 10 03:12:37 EST 2018


> > I have exported a handful of shares via NFS
> > (sharenfs=rw=@1.2.3.4/24), but when I mount them on the client
> > machines, any files or folders I create are world-writable:
> 
> Can you test this using NFS shares directly? (Eg. not using ZFS "sharenfs" 
> options)?
> 
> ZFS only uses the existing NFS tools and overrides the /etc/exports file for 
> its own purposes, which makes it more likely to be caused by the NFS 
> implementation on the host and/or client then ZFS.

Good idea, I didn't think to do that.  You are right, doing this has
the same result.  It looks like an NFS problem rather than a ZFS one.

However if I export a non-ZFS share via NFS, then the permissions are
fine.  I tried bind-mounting a ZFS share into the same folder on the
server that is exported via NFS, and using the same client and mount
path.  When there is an ext4 filesystem behind the mount, the
permissions are fine (0755/0644).  But if ZFS is behind the mount (even
through a bind mount), the permissions are too open (0777/0666).

There don't seem to be any options to control permission mapping with
NFS like there are with Samba so I don't really know where to even
start looking!

> For clarity, on my NFS shares (from ZFS host), I don't see this behaviour.

Are you running a kernel >= 4.18.9?  I was running 4.18.9 when I first
noticed the problem, just in case it's a kernel issue.

> I do see a different issue where group-memberships don't work correctly, but 
> that seems to be related to too many groups for which I had a working solution 
> (with NFS3), but this doesn't seem stable using NFS4, see:
> https://www.xkyle.com/solving-the-nfs-16-group-limit-problem/

Interesting - haven't come across that one myself but the only time
I've had that many groups the machine was exporting via SMB.

Cheers,
Adam.


More information about the zfs-discuss mailing list