Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!sun!exodus!terra.Eng.Sun.COM!brent From: brent@terra.Eng.Sun.COM (Brent Callaghan) Newsgroups: comp.protocols.nfs Subject: Re: group permissions when root Message-ID: <15008@exodus.Eng.Sun.COM> Date: 12 Jun 91 20:36:35 GMT References: <50868@olivea.atc.olivetti.com> Sender: news@exodus.Eng.Sun.COM Lines: 35 In article <50868@olivea.atc.olivetti.com>, jerry@olivey.ATC.Olivetti.Com (Jerry Aguirre) writes: > If a file system is exported without root permissions then NFS requests > from user "root" (0) get translated into "nobody" (-2). So, NFS access > looses not only the root privilege of writing any file but also the > ability to write to files owned by root on the server. This much is > documented behavior. > > But, if the permissions of root, translated into nobody, fail should not > the group permissions take effect? For example if I am running as root > with group permissions of wheel or staff should I not be able to create > a file in a directory that has group write for that group? In fact > every test that I have run indicates that group permissions are ignored > and only "other" permissions are allowed. The server maps the credentials of uid 0 (root) to the credentials of uid -2 (nobody). Since the gid is part of the credentials - you are also picking up the gid of nobody. > While it seems reasonble to block root from special privileges across > NFS it does not seem reasonable that root should have less privilege > than a normal user. There is no security benefit derived from this > behavior. The remote root user could su to any uid or guid they chose > and get the owner or group access desired. I agree that Unix credentials are easy to spoof if you're root on the client, though I don't agree that there's no security benefit in doing the mapping. It's pretty effective at limiting access to files with permissions restricted to root. -- Made in New Zealand --> Brent Callaghan @ Sun Microsystems Email: brent@Eng.Sun.COM phone: (415) 336 1051