Hiding Private Data on Public NFS Shares
I have a public read-only NFS share on my machine. Exporting it as read-only stops others from adding, deleting, or modifying any files. However normal Unix permission checks apply so if I make a file owned by my user id that only my user has the read permission for, anyone else can still read it as long as he has a user with the same id on his machine. I was running low on storage space on my home partition, and I needed to temporarily use this public share to store data. The problem is that I didn't want everyone to be able to read what I stored there.
I already have the root_squash option set, but that doesn't help me in this case. Reading the exports manpage, I found the all_squash option which maps all remote UIDs to the anonymous user (nobody). This way even if a remote user has a UID that matches mine, when he attempts to access a file or directory that doesn't have read permission for 'other' he can't read my data.
The moral of the story is that if you have a read-only public NFS share, it's good to add 'all_squash' to the export option list.
posted at: 11:19 | path: /computers/linux | permanent link to this entry