Configuring an NFS Server

The /etc/exports file is the NFS server configuration file. It controls which files and directories are exported, which hosts can access them, and what kind of access is allowed. The general format of entries in the /etc/exports file is directory [host(option)]...

The directory variable is the full pathname of the directory or file being exported. If the directory is not followed by a host or an option, all hosts are granted read/write access to the directory.

The host variable is the name of the client granted access to the exported directory. If no host value is specified, the directory is exported to everyone. Valid host values are the following:

• Individual host names such as parrot.foobirds.org.

• Domain wildcards such as *foobirds.org for every host in the foobirds.org domain.

• IP address/address mask pairs such as 172.16.5.0/255.255.255.0 for every host with an address that begins with 172.16.5.

• Net groups such as @group1. A net group is a name assigned to a group of individual hosts in the /etc/netgroup file. They are primarily used on systems that run NIS. (See the netgroup manual page for more details.)

The option variable defines the type of access being granted. If the option is specified without a hostname, the access is granted to all clients. Otherwise, the access is granted only to the host that is named. The two most common options are ro Specifies that clients may read only from the directory. Writing to the directory is not permitted.

rw Grants full read and write access to the directory. Read/write access is the default permission.

In addition to these two common options, there are several options that relate to UIDs and GIDs. NFS uses UIDs and GIDs to control file access in the same way that they are used to control access to local files. However, the fact that NFS must deal with the UIDs and GIDs assigned on several different systems means that coordination problems can be encountered. The options that help you work around these coordination problems are described in the upcoming "Mapping User IDs and Group IDs" section of this chapter.

A realistic sample /etc/exports file might contain the entries shown in Listing 9.3.

Listing 9.3: A Sample /etc/exports File

/usr /home

172.16.5.0/255.255.255.0(ro) 172.16.5.0/255.255.255.0(rw) flicker(rw) parrot(rw) flicker(rw) parrot(rw)

/usr/local/man /usr/local/doc /usr/local/bin /home/sales hawk(rw) *.sales.foobirds.org(rw)

The first entry in this file grants read-only access to the /usr directory to every client on network 172.16.5.0. In the example, the network is defined with an IP address and an address mask. Assuming that 172.16.5.0 is the local subnet, this entry grants access to everyone on the local network without also granting access to everyone in the local domain, or without trying to list all of the hosts on the local network. The /usr directory contains documentation and executables that could be of interest to any Linux client. Read permission is all that is required to access those useful files.

The second line in the example grants read and write access to the /home directory. Again, the access is given to every host on the local subnet. Perhaps the /home directory is being exported to give users NFS access to their home directories on the server. To make full use of their directories, the users require read and write permissions.

The next three lines all grant individual hosts read and write access to specific directories within the /usr directory. These entries do not affect the first line of the file. The /usr directory is still exported as read-only to all local clients. Older versions of NFS that ran under Unix did not let you export a subdirectory of a directory you already exported. Linux does, however, and it can be very useful. These additional entries were added so that the people who maintain the documentation in /usr/local/doc and /usr/local/man can modify the documentation directly from their desktop systems, and so the people who maintain the executables in /usr/local/bin can do it from their desktops.

The last line in the file exports the /home/sales directory to every host in the sales.foobirds.org subdomain. In this case, the /home/sales directory is probably used by the sales division to share files. As this shows, it is possible for the server to share directories with computers in other domains or networks.

Even though specific hosts have been granted read/write access to some of these directories, the access granted to individual users of those systems is controlled by standard Linux user, group, and world file permissions based on the user's UID and GID. Essentially, NFS trusts that a remote host has authenticated its users and assigned them valid UIDs and GIDs, which is sometimes called the trusted host security model. Exporting files grants the client system's users the same access to the files they would have if they directly logged in to the server.

For example, assume that the server exporting these files is wren. Further, assume that user craig has accounts on both wren and eagle, and that both systems assign him UID 501 and GID 206. Everything works fine! But what happens if hawk has a user named david, and assigns him UID 501 and GID 206? The david account now has the same access to Craig's files as the craig account. That might not be what you intended. Linux provides tools to ease this problem.

Was this article helpful?

0 0

Post a comment