PDA

View Full Version : [ubuntu] Restrict access to nfs mount



dragos2
April 12th, 2010, 12:47 PM
Hi guys,

I will mount a nfs share on a client with fstab. Is there a way to don't allow some users access
to that folder ?

fang0654
April 12th, 2010, 03:00 PM
Make the folder not everyone viewable, and put the users that can access it into a group that owns it.

For example:

Say your nfs folder is in /media/invoices and the only users allowed to access are bill, tom, and joe:



sudo groupadd invoices
sudo useradd -G invoices bill
sudo useradd -G invoices tom
sudo useradd -G invoices joe
sudo chown root:invoices /media/invoices -R
sudo chmod g+rwX /media/invoices -R
sudo chmod o-rwX /media/invoices -R

dragos2
April 13th, 2010, 01:07 PM
Make the folder not everyone viewable, and put the users that can access it into a group that owns it.

For example:

Say your nfs folder is in /media/invoices and the only users allowed to access are bill, tom, and joe:



sudo groupadd invoices
sudo useradd -G invoices bill
sudo useradd -G invoices tom
sudo useradd -G invoices joe
sudo chown root:invoices /media/invoices -R
sudo chmod g+rwX /media/invoices -R
sudo chmod o-rwX /media/invoices -R


Thanks but it is not working. Also ACL does not work too.

iissmart
April 13th, 2010, 02:22 PM
Make sure your server is running NFSv4 and your client is mounting it as nfs4 and not just nfs. Then your ACL will work.

dragos2
April 14th, 2010, 07:40 AM
Make sure your server is running NFSv4 and your client is mounting it as nfs4 and not just nfs. Then your ACL will work.

Thanks for this. I will dig into it.

What about using netgroups ?

Here https://help.ubuntu.com/community/SettingUpNFSHowTo says:


Note: This only works if using NIS. Otherwise, you can't use netgroups, and should specify individual IP's or hostnames in /etc/exports. Read the BUGS section in man netgroup.
Edit /etc/netgroup and add a line to classify your clients. (This step is not necessary, but is for convenience).
myclients (client1,,) (client2,,)Obviously, more clients can be added. myclients can be anything you like; this is a netgroup name.


So I can restrict users on the server side with NIS ?