# nfsv4 mountpoint permissions

## DaggyStyle

Greetings,

something must have broke in my server or client, when ever I mount an nfsv4 on my machine, the owner and group of the mountpoint changes from my user to root.root

that results in Permission denied error when I try to copy a file to the mount.

here is the fstab on the client:

```
nas_server:/mnt/media           /mnt/media              nfs             rw,async,_netdev  0  0
```

and on the server:

```
/mnt/media      10.0.0.0/24(ro,nohide,insecure,no_subtree_check)

/mnt/media      10.0.0.1(rw,nohide,insecure,no_subtree_check)

```

where my desktop's ip is 10.0.0.1

any idea what can it be?

----------

## Hu

From your description, this sounds like it works as designed.  When you shadow a directory by mounting something on it, whether local or remote, the ownership and permissions of the mounted object shadow the permissions of the directory, just as the contents of the mounted object shadow the contents of the directory.  If the exported filesystem's root directory is owned root:root, then that is what you will get on the client.

----------

## DaggyStyle

 *Hu wrote:*   

> From your description, this sounds like it works as designed.  When you shadow a directory by mounting something on it, whether local or remote, the ownership and permissions of the mounted object shadow the permissions of the directory, just as the contents of the mounted object shadow the contents of the directory.  If the exported filesystem's root directory is owned root:root, then that is what you will get on the client.

 

I'm not so sure about that, see:

```
NCC-5001-D /home/dagg # mount | grep media

nas_server:/mnt/media on /mnt/media type nfs4 (rw,relatime,vers=4.1,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.0.1,local_lock=none,addr=10.0.0.3,_netdev)

NCC-5001-D /home/dagg # whoami

root

NCC-5001-D /home/dagg # ll /mnt | grep media

drwxr-xr-x  8 root root        4096 Oct 20  2017 media

NCC-5001-D /home/dagg # ll /mnt/media/

total 61

drwxr-xr-x 79 dagg dagg 12288 Oct  3  2015 music

drwxr-xr-x  2 dagg dagg 16384 Oct  4  2015 lost+found

drwx------  4 dagg dagg  4096 Mar  5  2016 .Trash-1000

drwxr-xr-x  2 dagg dagg  4096 Sep 24  2016 concerts

drwxr-xr-x  8 root root  4096 Oct 20  2017 .

drwxr-xr-x 17 dagg dagg  4096 Jul 13 19:07 series

drwxr-xr-x 22 root root   600 Aug  7 20:26 ..

drwxr-xr-x  2 dagg dagg 16384 Oct 25 19:57 movies

NCC-5001-D /home/dagg # touch /mnt/media/file

touch: cannot touch '/mnt/media/file': Permission denied

NCC-5001-D /home/dagg # 

```

I even cannot add a file as root.

as said, it worked before...

----------

## bunder

you're probably missing no_root_squash, without it root gets demoted to "nobody".

----------

## DaggyStyle

 *bunder wrote:*   

> you're probably missing no_root_squash, without it root gets demoted to "nobody".

 

won't that give anyone writing permissions on the 10.0.0.1? what if I want to limit it to a specific user on 10.0.0.1?

----------

## bunder

no, only root.  you can leave it off if you want, but you'll at least want to 

```
chown dagg:dagg /mnt/media
```

on the server.

----------

## DaggyStyle

 *bunder wrote:*   

> no, only root.  you can leave it off if you want, but you'll at least want to 
> 
> ```
> chown dagg:dagg /mnt/media
> ```
> ...

 

so chown dagg server:/mnt/media (where the ids match on both machines) will do the trick without the no_root_squash option?

----------

## bunder

yeah if you don't care about root access, the chown to your user should be enough (as your /mnt/media appears to be owned by root)

```
 drwxr-xr-x  8 root root  4096 Oct 20  2017 . 
```

----------

## DaggyStyle

 *bunder wrote:*   

> yeah if you don't care about root access, the chown to your user should be enough (as your /mnt/media appears to be owned by root)
> 
> ```
>  drwxr-xr-x  8 root root  4096 Oct 20  2017 . 
> ```
> ...

 

all I want is for user dagg on 10.0.0.1 to have rw permissions on server:/mnt/media

the rest should have read support (no including root on server). I'll give it a try, thanks.

----------

## Hu

The advice here looks good.  To elaborate on no_root_squash: when root squashing is enabled, and the client sends a uid=root, the server rewrites that as uid=nobody[1], then applies permission checks with the rewritten uid.  Since user nobody cannot access the mount with the permissions shown, a failure occurs.  When the client sends a uid!=root, root squashing is irrelevant and the client's uid is used as-is.  This has the effect that root is often less privileged than regular users, which surprises people the first time they encounter root squashing.  Its security value is not perfect, since an unrestricted root on the client can change its uid to anything else, and then it will not be squashed.  This means that root squashing protects you in two cases:Permissions on the server restrict access to uid=root, so any uid other than root is guaranteed to be denied.  Therefore, no matter what id the tricky client switches to, it will not have access.You care only about client programs that are not intentionally trying to subvert the system.  Such programs, by definition, will not engage in trickery like changing their uid.As a related issue, beware all_squash.  That coerces all user ids sent by the client, rather than only uid=root.

[1] Technically, it is remapped to the anonymous id.  By tradition, the anonymous id defaults to nobody.  You can remap to some other id if you want.  See man exports.

----------

## DaggyStyle

I've done what bunder suggested, on 10.0.0.1 root gets permission error, dagg doesn't.

on all other systems. there is no write permissions.

all good, no?

----------

## bunder

 *Quote:*   

> all I want is for user dagg on 10.0.0.1 to have rw permissions on server:/mnt/media
> 
> the rest should have read support

 

 *Quote:*   

> I've done what bunder suggested, on 10.0.0.1 root gets permission error, dagg doesn't.
> 
> on all other systems. there is no write permissions.
> 
> all good, no?

 

sounds good to me   :Wink: 

----------

