Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!think.com!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!crdgw1!uunet!olivea!jerry
From: jerry@olivey.ATC.Olivetti.Com (Jerry Aguirre)
Newsgroups: comp.protocols.nfs
Subject: group permissions when root
Summary: Group permissions are not checked if one is root
Message-ID: <50868@olivea.atc.olivetti.com>
Date: 12 Jun 91 01:12:32 GMT
Sender: news@olivea.atc.olivetti.com
Organization: Olivetti ATC; Cupertino, CA
Lines: 24

If a file system is exported without root permissions then NFS requests
from user "root" (0) get translated into "nobody" (-2).  So, NFS access
looses not only the root privilege of writing any file but also the
ability to write to files owned by root on the server.  This much is
documented behavior.

But, if the permissions of root, translated into nobody, fail should not
the group permissions take effect?  For example if I am running as root
with group permissions of wheel or staff should I not be able to create
a file in a directory that has group write for that group?  In fact
every test that I have run indicates that group permissions are ignored
and only "other" permissions are allowed.

While it seems reasonble to block root from special privileges across
NFS it does not seem reasonable that root should have less privilege
than a normal user.  There is no security benefit derived from this
behavior.  The remote root user could su to any uid or guid they chose
and get the owner or group access desired.

I had attempted to set up a directory with shared access from several
different systems.  Making the directory group write-able worked OK
for normal user access but failed for root access.

				Jerry