[NFS-Ganesha-Support] Re: Restricting root's FS access
On Tue, Sep 6, 2022 at 8:51 AM Daniel Gryniewicz <dang(a)redhat.com> wrote:
Why should root have less access than any other user?
Daniel
On 9/5/22 05:36, Matthew Richardson wrote:
> Hi,
>
> I'm currently working to set up ganesha with kerberos. Everything seems to work
as expected, except that I can't find a way to limit the access that root on the
client has to the mounted filesystem.
>
> At the moment I'm squashing root to 'nobody' - however that obviously
still allows access to world-readable files/dirs. Is there a way to block all FS access
from root/nobody, or always require a valid kerberos ticket?
>
If you want to restrict root's access to a file system, and root is
squashed/mapped to "nobody", you need to restrict "nobody's"
access to
the filesystem. This is just the way it works. Essentially, if you
have the "other" permissions (or ACLs) on a file set to allow access,
then anyone can get access - this is how POSIX permissions work. If
you don't want everyone - including a remote "root" user - to have
access, restrict the permissions accordingly.
-Nick