[zfs-discuss] How to stop NFS files being world-writable

J. Roeleveld joost at antarean.org
Sat Nov 10 04:45:47 EST 2018



On November 10, 2018 8:12:37 AM UTC, Adam Nielsen via zfs-discuss <zfs-discuss at list.zfsonlinux.org> wrote:
>> > I have exported a handful of shares via NFS
>> > (sharenfs=rw=@1.2.3.4/24), but when I mount them on the client
>> > machines, any files or folders I create are world-writable:
>> 
>> Can you test this using NFS shares directly? (Eg. not using ZFS
>"sharenfs" 
>> options)?
>> 
>> ZFS only uses the existing NFS tools and overrides the /etc/exports
>file for 
>> its own purposes, which makes it more likely to be caused by the NFS 
>> implementation on the host and/or client then ZFS.
>
>Good idea, I didn't think to do that.  You are right, doing this has
>the same result.  It looks like an NFS problem rather than a ZFS one.
>
>However if I export a non-ZFS share via NFS, then the permissions are
>fine.  I tried bind-mounting a ZFS share into the same folder on the
>server that is exported via NFS, and using the same client and mount
>path.  When there is an ext4 filesystem behind the mount, the
>permissions are fine (0755/0644).  But if ZFS is behind the mount (even
>through a bind mount), the permissions are too open (0777/0666).
>
>There don't seem to be any options to control permission mapping with
>NFS like there are with Samba so I don't really know where to even
>start looking!

You can add the same options to the sharenfs property as you can use in the /etc/exports file.
Maybe something possible there?
Does your client use NFS4 or NFS3?

>> For clarity, on my NFS shares (from ZFS host), I don't see this
>behaviour.
>
>Are you running a kernel >= 4.18.9?  I was running 4.18.9 when I first
>noticed the problem, just in case it's a kernel issue.

Client: not sure, can check later
Server: for sure, no. Updates are scheduled this weekend. Will definitely test this after the upgrade.

>> I do see a different issue where group-memberships don't work
>correctly, but 
>> that seems to be related to too many groups for which I had a working
>solution 
>> (with NFS3), but this doesn't seem stable using NFS4, see:
>> https://www.xkyle.com/solving-the-nfs-16-group-limit-problem/
>
>Interesting - haven't come across that one myself but the only time
>I've had that many groups the machine was exporting via SMB.

I currently have this be an issue and then 5 minutes later it resolves itself. (Even with that flag added to the nfs startup scripts)

--
Joost
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the zfs-discuss mailing list