Linux – NFS. Non-root mount requests

linuxmountnfs

I'm trying to make my NFS server allow non-root mount requests.

Server: Debian Squeeze, kernel 2.6.32-5-686

What I have now: root (or sudoes) can mount NFS file systems, but regular users can't.

Why I think that it's possible at all:

  1. FreeBSD documentation: http://www.unix.com/man-page/FreeBSD/8/mountd/ option -n
  2. Questions on Linux oriented forums, like this: http://www.linuxquestions.org/questions/linux-software-2/non-root-account-unable-to-mount-a-nfs-connection-926985/

I. Debian server (10.18.51.1)

Installed packages: nfs-kernel-server, nfs-common, portmap

1) /etc/exports:

/usr/appl/ 10.18.51.0/24(ro,no_subtree_check)
/usr/private/ 10.18.51.11(rw,sync,no_subtree_check)

2) /var/lib/nfs/etab

/usr/private 10.18.51.11(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)
/usr/appl 10.18.51.0/24(ro,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,anonuid=65534,anongid=65534)

3) Permissions to exported folders:

$ ls -lh -d /usr/appl
drwxr-xr-x 3 root root 4.0K Feb 25 17:16 /usr/appl
$ ls -lh -d /usr/private
drwxrwxrwx 4 root root 4.0K Feb 27 12:19 /usr/private

II. Ubuntu client (10.18.51.11)

Installed packages: nfs-common portmap

$ mount 10.18.51.1:/usr/appl /mnt/nfs/appl
mount: only root can do that

In spite of there're user tag in /etc/fstab:

10.18.51.1:/usr/appl    /mnt/nfs/appl      nfs   ro,async,nodev,nosuid,user  0   0
10.18.51.1:/usr/private /mnt/nfs/private   nfs rw,rsize=8192,hard,intr,nfsvers=3,tcp,noatime,nodev,async,user 0  0

III. FreeBSD client (10.18.51.3)

1)

$ cat /etc/rc.conf
...
nfs_client_enable="YES"

2)

$ mount 10.18.51.1:/usr/appl /mnt/nfs/appl
[tcp] 10.18.51.1:/usr/appl: Permission denied
[tcp] 10.18.51.1:/usr/appl: Permission denied
[tcp] 10.18.51.1:/usr/appl: Permission denied
...

Interesting that just after press Enter it prints Permission denied, then waits some time, then trys to connect to 10.18.51.1, then prints Permission denied again. I know about connection to server 'cause I used tcpdump (tcpdump host 10.18.51.3) on the server:

$ sudo tcpdump host 10.18.51.3
[sudo] password for sukharevd: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:32:28.029560 ARP, Request who-has msiuioo.local tell 10.18.51.3, length 28
23:32:28.029598 ARP, Request who-has msiuioo.local tell 10.18.51.3, length 28
23:32:28.029661 ARP, Reply msiuioo.local is-at 00:21:85:51:44:02 (oui Unknown), length 28
23:32:28.031075 IP 10.18.51.3.35034 > msiuioo.local.sunrpc: UDP, length 56
23:32:28.031401 IP msiuioo.local.sunrpc > 10.18.51.3.35034: UDP, length 28
23:32:28.033275 IP 10.18.51.3.17157 > msiuioo.local.<b>nfs</b>: Flags [S], seq 4085518488, win     65535, options [mss 1460,nop,wscale 3,sackOK,TS val 405930 ecr 0], length 0
23:32:28.033326 IP msiuioo.local.nfs > 10.18.51.3.17157: Flags [S.], seq 1703965537, ack 4085518489, win 5792, options [mss 1460,sackOK,TS val 2186703 ecr 405930,nop,wscale 6], length 0
23:32:28.034717 IP 10.18.51.3.17157 > msiuioo.local.nfs: Flags [.], ack 1, win 8326, options [nop,nop,TS val 405930 ecr 2186703], length 0
23:32:28.034912 IP 10.18.51.3.4026012106 > msiuioo.local.<b>nfs</b>: 40 null
23:32:28.034978 IP msiuioo.local.nfs > 10.18.51.3.17157: Flags [.], ack 45, win 91, options [nop,nop,TS val 2186704 ecr 405930], length 0
23:32:28.035063 IP msiuioo.local.nfs > 10.18.51.3.4026012106: reply ok 24 null
23:32:28.036892 IP 10.18.51.3.17157 > msiuioo.local.nfs: Flags [F.], seq 45, ack 29, win 8326, options [nop,nop,TS val 405930 ecr 2186704], length 0
23:32:28.036986 IP msiuioo.local.nfs > 10.18.51.3.17157: Flags [F.], seq 29, ack 46, win 91, options [nop,nop,TS val 2186704 ecr 405930], length 0
23:32:28.039021 IP 10.18.51.3.17157 > msiuioo.local.nfs: Flags [.], ack 30, win 8325, options [nop,nop,TS val 405930 ecr 2186704], length 0
23:32:28.039124 IP 10.18.51.3.40381 > msiuioo.local.sunrpc: UDP, length 56
23:32:28.039426 IP msiuioo.local.sunrpc > 10.18.51.3.40381: UDP, length 28

Any suggestions?

UPD: Solved half of a problem. I should have used

mount /mnt/nfs/appl

instead of

mount 10.18.51.1:/usr/appl /mnt/nfs/appl

on Linux (Ubuntu) client.

But still have problem with mounting in FreeBSD.

Best Answer

The most likely reason you are having problems with non-root mounts is the "secure" export option, which is on by default. It disallows mount requests that come in with a source port greater than 1024. On most systems, binding to a port less than 1024 requires root access, so this is a fairly decent way of ensuring the mount was made by root.

The issue, as explained in the README for my NfSpy penetration testing tool, is that the NFS protocol (versions 2, 3, and even 4, without proper configuration) completely trusts the user ID sent in requests from client machines. By limiting requests to only those made by root, you limit your trust to only users on the client machine who have root access. Without this setting (using "insecure" in your exports file), any user can claim to have any UID and access any file on the export.

The reason it is working on Linux is probably because /bin/mount is setuid root:

~$ ls -l /bin/mount
-rwsr-xr-x 1 root root 72188 2011-01-20 13:54 /bin/mount

Just a hunch, but check the permissions on the mount binary on your FreeBSD system. If it is setuid, then you still have a problem, and I don't know what it is. If not, then that would explain what's going on.

Good luck with this, but please consider the security implications of allowing any user on a system to access any file on your server. I recommend using NFS4 with GSS authentication mechanisms instead of the traditional AUTH_SYS flavor.

Related Topic