# NFS and permissions

## mkc

Hi all gentoo users =)

I have a NFS scheme, in wich i export /home/share, and do a all_squash, so that every file is saved with id=apache. The problems is, i can work on files in command, being a different user (because im on users group) but not with graphical tools, like jedit or openoffice. 

Here is my /etc/exports:

          /home/share     192.168.99.0/24(rw,sync,all_squash,anonuid=81,anongid=100)

I wish i could use openoffice (or other programs) and saving normally... and have the file read/write... How could this be done?

Tank you for your help =)

----------

## jkt

please explain some things - on which station are you working in shell? on nfs server or on client? and than the same for gui.

----------

## mkc

Im running both shell and gui on clients. Shell works fine.... the problem is in gui... 

Different clients, with different usernames acess the server nfs share....[/i][/b]

----------

## jkt

are you able to access your files from shell launched from GUI (by something like `xterm`)?

what error is displayed in GUI apps?

----------

## mkc

The problem is like this....

If i do a:

```
nano -w /home/share/test1.txt
```

]

i can edit that file normally. if i, after saving, return in xterm and nano that file again.. i can save it...

but if i try do edit that file on jedit for example, it opens read-only.. got the picture? i think this is a weird beahaviour...[/quote][/code]

----------

## jkt

And is the file being saved from the `nano` session? Are you running both GUI and shell as exactly the same user?

----------

## mkc

Yes i am....

For example.. i acess the nfs share in my laptop with user mkc. The files in the share get the user apache (check my export)

The thing is, when i'm in shell, it looks like he "knows" that it should use, user apache, but in gui... it uses the mkc user.

Im sure im using same user (gui and shell) in the client...  :Sad: 

----------

## jkt

could you post output of `cat /proc/mounts` from the GUI and from shell?

----------

## mkc

Errr.. this is a stupid question.. but how do i do that in the gui???

Im actually using gnome terminal for "shell" =)

here the output of /proc/mounts:

```
rootfs / rootfs rw 0 0

/dev/root / ext3 rw,noatime 0 0

none /dev devfs rw 0 0

proc /proc proc rw,nodiratime 0 0

sysfs /sys sysfs rw 0 0

devpts /dev/pts devpts rw 0 0

none /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0

none /proc/bus/usb usbfs rw 0 0

13.69.0.1:/mnt/fileserver/ /mnt/fileserver nfs rw,v2,rsize=8192,wsize=8192,hard,udp,lock,addr=13.69.0.1 0 0

```

Im not in the exact network im trying to solve the problem, but i have a replica here... so if i solve the problem here... i could solve it there =)

tanx 4 your help by the way  :Smile: 

----------

## jkt

 *mkc wrote:*   

> Errr.. this is a stupid question.. but how do i do that in the gui???
> 
> Im actually using gnome terminal for "shell" =)

 

ok  :Smile: . what happens if you try to `touch /mnt/fileserver/blablabla` (non-existing file)? is it created? could you post output of `ls -al /mnt/fileserver`? (I'm not intrrested in filenames, but in their permissions and permission of "." and ".." directories)

 *Quote:*   

> Im not in the exact network im trying to solve the problem, but i have a replica here... so if i solve the problem here... i could solve it there =)

 

do you have any reson to use NFSv2 and not v3?

 *Quote:*   

> tanx 4 your help by the way 

 

my pleasure  :Smile: 

----------

## mkc

Ok.. now im back in the "real" network i have to fix the problem....

 *Quote:*   

> ok what happens if you try to `touch /mnt/fileserver/blablabla

 

 well..  i can create the file... not in the /home/share (not any more on /mnt/fileserver) but inside a folder inside that share.

 *Quote:*   

> could you post output of `ls -al /mnt/fileserver

 

sure:

```

 # ls -al /home/share/

drwxr-xr-x   11 root  root    264 Nov  8 15:41 .

drwxr-xr-x    4 root  root   4096 Feb  4 17:37 ..

```

About using NFSv2... how do i check what version am i using? kernel??  :Smile: 

By the way.. i insist on this.. i can edit the file i created inside shell.. but not on gui editor......  :Sad: 

----------

## jkt

 *mkc wrote:*   

> Ok.. now im back in the "real" network i have to fix the problem....
> 
>  *Quote:*   ok what happens if you try to `touch /mnt/fileserver/blablabla 
> 
>  well..  i can create the file... not in the /home/share (not any more on /mnt/fileserver) but inside a folder inside that share.

 

it's a directory, not a folder  :Smile: 

 *Quote:*   

> 
> 
>  *Quote:*   could you post output of `ls -al /mnt/fileserver 
> 
> sure:
> ...

 

you're running the `ls` as root, but it's unlikely that your GUI runs under it as well. chnage permissions of the files... you've done something wrong. how does your /etc/exports look like?

 *Quote:*   

> About using NFSv2... how do i check what version am i using? kernel?? 

 

if your NFS server supports multiple protocols, client can specify which one to use. `man nfs` for details, look at "nfsver" parameter.

----------

## mkc

my export is on the first post... but here it is again:

```
/home/share     192.168.99.0/24(rw,sync,all_squash,anonuid=81,anongid=100)

```

I can do the ls -al with normal user... im editing files inside shell with normal user.. not has root... sorry about that post...

Any more ideas?  :Sad: 

----------

## jkt

ok, what does `id` in shell say? do you have something else in the /etc/exports?

----------

## mkc

id outputs this:

```
uid=1000(mkc) gid=100(users) groups=10(wheel),81(apache),85(usb),100(users)

```

I have ohter stuff on exports.... but they work well since its "directorys" for different company users.... Im not going to post that because i can... not allowed, sorry  :Sad: 

Im only having problems on that export because its the one who sets to the default user "apache"...  default group "users"....

----------

## jkt

ok, doesn't matter. Are there any records matching IP address of the problematic client? Anything "more concrete" than /24 netmask?

----------

## mkc

no.. dont think so... that one line defines what clients can acess the nfs share... there is no specific IP entry to a specific client....

----------

## jkt

 *mkc wrote:*   

> no.. dont think so... that one line defines what clients can acess the nfs share... there is no specific IP entry to a specific client....

 

yep, but I aks if there is anything other in /etc/exports which is taking effect. Or maybe isn't your NFS server using current configuration...?

----------

## jkt

So I've tried to reproduce your setup, or rather to create what you want.

/etc/exports:

```

zirafa ~ # cat /etc/exports

# /etc/exports: NFS file systems being exported.  See exports(5).

/mnt/mnt        slon.basa.dejvice.czf(rw,secure,all_squash,sync,anonuid=0,anongid=0)

```

at slon (`l` is an alias to `ls -alh`):

```

jkt@slon ~/temp $ cat /proc/mounts | grep zirafa

zirafa.basa.dejvice.czf:/mnt/mnt /mnt/zirafa/mnt/mnt nfs rw,nosuid,nodev,noexec,v3,rsize=8192,wsize=8192,hard,udp,lock,addr=zirafa.basa.dejvice.czf 0 0

jkt@slon ~/temp $ touch /mnt/zirafa/mnt/mnt/ripped/ahoj

jkt@slon ~/temp $ l /mnt/zirafa/mnt/mnt/ripped

total 64K

drwxrwxrwx  2 root root 32K Mar  3  2005 .

drwxrwxrwx  5 root root 32K Mar  3 20:34 ..

-rw-r--r--  1 root root   0 Mar  3  2005 ahoj

jkt@slon ~/temp $ id

uid=1000(jkt) gid=100(users) groups=5(tty),10(wheel),18(audio),35(games),85(usb),100(users)

jkt@slon ~/temp $ grep zirafa /etc/fstab

zirafa.basa.dejvice.czf:/mnt/mnt        /mnt/zirafa/mnt/mnt     nfs     noauto,rsize=8192,wsize=8192,noexec,nosuid,nodev        0 0

```

EDIT: but this could be irrelevant, as /mnt/mnt is VFAT which lacks support for permissions...

----------

## mkc

well... can't answer your question, because i don't understand the question... but here is a modified /etc/exports... the all one.. =)

```

cat /etc/exports

# /etc/exports: NFS file systems being exported.  See exports(5).

/home/share     192.168.1.0/24(rw,sync,all_squash,anonuid=81,anongid=100)

/home/xxxxxxx   192.168.1.0/24(rw,sync,all_squash,anonuid=1001,anongid=100)

/home/xxxxxx    192.168.1.0/24(rw,sync,all_squash,anonuid=500,anongid=100)

/home/xxxx      192.168.1.0/24(rw,sync,all_squash,anonuid=1002,anongid=100)

/home/xxx       192.168.1.0/24(rw,sync,all_squash,anonuid=1003,anongid=100)

/home/xxxxx     192.168.1.0/24(rw,sync,all_squash,anonuid=1004,anongid=100)

/home/xxxxx    192.168.1.0/24(rw,sync,all_squash,anonuid=500,anongid=100)

/home/xxxx      192.168.1.0/24(rw,sync,all_squash,anonuid=1005,anongid=100)

/home/xxxx      192.168.1.0/24(rw,sync,all_squash,anonuid=1006,anongid=100)

/home/archiv/share/image 192.168.1.0/24(rw,sync,all_squash,anonuid=500,anongid=100)
```

The NFS server is using current configuration.... im sure! =)

sorry for the time between replys... to many things on the same time...

----------

## mkc

the only difference is that you are sayng to use "root" as id and gid... for the default user...

Are you able to change files in a gui program? like in openoffice?

----------

## jkt

my question - client could be matched by multiple "rules" (rows in /etc/exports), and the "most unique" line will take effect (so if you specify 192.168.1.1, it will take precedence over 192.168.1.0/24), at least IIRC  :Smile: . But you don't have anything like that in your configuration  :Sad: .

----------

## jkt

 *mkc wrote:*   

> the only difference is that you are sayng to use "root" as id and gid... for the default user...
> 
> Are you able to change files in a gui program? like in openoffice?

 

I'm using the all_squash only as an attempt to reproduce your problem. And i do know that there shouldn't be any difference at all in accessing files from GUI or commandline.

----------

## mkc

so... any idea of what is going wrong??

----------

## jkt

 *mkc wrote:*   

> so... any idea of what is going wrong??

 

if you are really sure that you can access your NFS share from shell, GUI isn't running under the same euid/egid.

stupid hint: have you tried restarting the NFS daemon on server and X session on client?

----------

## mkc

yes i did....  no changes...

 *Quote:*   

> if you are really sure that you can access your NFS share from shell, GUI isn't running under the same euid/egid. 

 

yes im sure  :Sad: 

----------

## jkt

ok, then sorry - I cannot help you  :Sad: 

----------

## jkt

Maybe a hint - all_squash only tells the NFS server to consider all file operations as those with specified uid/gid, but the client's kernel will still try to check the permissions, so you'll have to tell the client to allow access also for your uid/gid.

----------

## mkc

errr.... maybe you could explain better how do i do that... pliz =)

----------

## jkt

 *mkc wrote:*   

> errr.... maybe you could explain better how do i do that... pliz =)

 

I'd suggest using "uid=your-uid,gid=uid" or some stuff with umask/fmask/dmask mount options, but I don't know if nfs fs type supports/accepts/uses them and I'm too lazy to RTFM.

----------

## mkc

Tanx for your help jkt... now the problems only are with OpenOffice... i can work with other programs normally... only open office forces me to use my own uid... its this windows-dont-let-you-decide type of beahiviour that developers should avoid...

I'll post a bug or something.. or try to get help directly from them...

tanx anyway  :Smile: 

----------

## jkt

 *mkc wrote:*   

> Tanx for your help jkt... now the problems only are with OpenOffice... i can work with other programs normally... only open office forces me to use my own uid... its this windows-dont-let-you-decide type of beahiviour that developers should avoid...

 

and how is your setup like? I cannot beleive that oo could work differently than any other application. Anyway, how did you solved your problem?

----------

## mkc

i did not solved it... 

Everything is working normally except with OpenOffice... If i create a document inside the exported nfs share... if i open it again, it opens read-only.

Somehow OO forces the current user id, and doesn't use the apache user, wich is the default, because of the all_squash thing.

I really must use this on this share... my boss just wants things this way, because of a internal aplication...

----------

## jkt

 *mkc wrote:*   

> i did not solved it... 
> 
> Everything is working normally except with OpenOffice... If i create a document inside the exported nfs share... if i open it again, it opens read-only.
> 
> Somehow OO forces the current user id, and doesn't use the apache user, wich is the default, because of the all_squash thing.
> ...

 

OK, once again, it is impossible to happen as you describe  :Smile: .

If you can access your files for both reading & writing from shell with the same euid/egid as some GUI application, this GUI app will be able to acces them, too. There is nothing which could prevent this behaviour. How could OO.o (which is not suid/sgid) change it's permissions?? Are you sure you haven't found a bug in OO.o which is causing read-only access to broken document, for example?

----------

## mkc

Maybe i did... that is why im going to post this to them....

But i don't believe i have a broken document, because it happens all the time... newly created files and old ones to!! anyway.. not sure off what is really going on...  :Sad: 

But if i solve it... i'll post it here... for sure...!!

----------

## jkt

ok, so you have some directory, say, /mnt/files, which is NFS_mounted from your NFS server. How does `ls -al /mnt/files` look like? I'm especially interrested in owner of ".", ".." directories and also in the files in this directory. And of course permissions of those, too. Are you 100% sure that both the shell and OO.o are running as the same uid/gid? Use `ps aux` to determine them.

----------

## mkc

sorry i took so long.. but i got sick in the meanwhile....

ps aux shows me that its the same user...

you want me to do a "ls -all /mnt/files" on the server or on the client? The strange thing is evrything is working normal, except for OO.o....

----------

## jkt

 *mkc wrote:*   

> you want me to do a "ls -all /mnt/files" on the server or on the client?

 

on both of them, ideally.

----------

## mkc

SERVER:

```
faro root # ls -al /home/share/

total 30

drwxr-xr-x   11 root   root    264 Nov  8 15:41 .

drwxr-xr-x   14 root   root    376 Oct 23 13:23 ..

drwxr-xr-x    3 erhard users   104 Nov 26 10:35 cvs

drwxrwx---    2 erhard users 24368 Dec 24  2003 fonts

drwxr-xr-x    6 erhard users   144 Feb 28 19:44 httpd

drwxrwxrwx    6 erhard users   360 Feb 23 01:12 image

drwxrwx---   15 erhard users   536 Mar 10 15:18 company

drwxr-xr-x   19 mysql  mysql   552 Mar  7 14:37 mysql

drwxr-xr-x    5 erhard users   128 Dec 22  2003 software

drwxrwxrwx  132 erhard users  4248 Mar  1 16:53 sound

drwxrwx---    4 erhard users  1128 Jan 31  2003 template

```

CLIENT:

```
ladybug mkc # ls -al /home/share/

total 34

drwxr-xr-x   11 root  root    264 Nov  8 15:41 .

drwxr-xr-x    6 root  root   4096 Mar  8 00:45 ..

drwxr-xr-x    3   500 users   104 Nov 26 10:35 cvs

drwxrwx---    2   500 users 24368 Dec 24  2003 fonts

drwxr-xr-x    6   500 users   144 Feb 28 19:44 httpd

drwxrwxrwx    6   500 users   360 Feb 23 01:12 image

drwxrwx---   15   500 users   536 Mar 10 15:18 company

drwxr-xr-x   19 mysql mysql   552 Mar  7 14:37 mysql

drwxr-xr-x    5   500 users   128 Dec 22  2003 software

drwxrwxrwx  132   500 users  4248 Mar  1 16:53 sound

drwxrwx---    4   500 users  1128 Jan 31  2003 template

```

Does it help?

----------

## jkt

 *mkc wrote:*   

> Does it help?

 

Yep. As you can see, client sees the files as owned by uid 500 (which is not mapped to any username on client, additionaly) and group "users". AFAIK the all_squash option won't force NFS server to send this "faked" uid/gid to the clients, instead, it will only map write requersts. So, you can either persuade the NFS client to provide its own kernel (on client machine) with faked uid/gid even for existing files, or change permissions on the NFS server to allow writing to all users (or maybe some group). The first can be achieved by uid=xyz,gid=abc mount option, but I think the NFS client implementation doesn't allow them.

But maybe I'm mistaken about the NFS uid/gid advertising, and your configuration is not correct, like the all_squash option is missing or something like that... Or maybe the NFSv2 version doesn't support squashing...

----------

