nfs v3: chown not permitted

nfs v3: chown not permitted

[foo]

Hi.

I hope its not a total stupid question...

...but I tried... read man-pages, searched on google...

So here is the situation:

nfs-server: FILESERVER = 10.10.10.3 = linux debian stable + security + backports


root@FILESERVER:~# uname -a
Linux FILESERVER 2.6.4 #1 Mon Mar 22 13:35:27 CET 2004 i686 unknown


root@FILESERVER:~# dpkg -l|grep nfs
ii  nfs-common     1.0-2woody1    NFS support files common to client and serve
ii  nfs-kernel-ser 1.0-2woody1    Kernel NFS server support


root@FILESERVER:~# cat /usr/src/linux/.config|grep -i nfs
CONFIG_NFS_FS=m
CONFIG_NFS_V3=y
# CONFIG_NFS_V4 is not set
# CONFIG_NFS_DIRECTIO is not set
CONFIG_NFSD=m
CONFIG_NFSD_V3=y
# CONFIG_NFSD_V4 is not set
# CONFIG_NFSD_TCP is not set


root@FILESERVER:~# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp   1024  status
    100024    1   tcp   1024  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp   1026  nlockmgr
    100021    3   udp   1026  nlockmgr
    100021    4   udp   1026  nlockmgr
    100005    1   udp   4002  mountd
    100005    1   tcp   4002  mountd
    100005    2   udp   4002  mountd
    100005    2   tcp   4002  mountd
    100005    3   udp   4002  mountd
    100005    3   tcp   4002  mountd


root@FILESERVER:~# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# rw = read AND write access (instead of ro)
# sync = new default (instead of async) (without it always gives a warn-message)
# root_squash = while mounting the user ID of 'root' on the nfs client
#               is replaced with ID of 'nobody' on the nfs SERVER
# nosuid = prevents files with suid bits set on the nfs SERVER from being executed
# noexec = disables any file execution at all
/mnt/data 10.10.10.10(rw,sync,root_squash)



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



nfs-client: jolie = 10.10.10.10 = linux debian unstable installation


jolie:/mnt# uname -a
Linux jolie 2.6.3 #3 Thu Mar 4 01:18:21 CET 2004 i686 GNU/Linux


jolie:/mnt# dpkg -l|grep nfs
ii  nfs-common     1.0.6-1        NFS support files common to client and serve
ii  nfs-kernel-ser 1.0.6-1        Kernel NFS server support


jolie:/mnt# cat /usr/src/linux/.config|grep -i nfs
CONFIG_NFS_FS=m
CONFIG_NFS_V3=y
# CONFIG_NFS_V4 is not set
# CONFIG_NFS_DIRECTIO is not set
CONFIG_NFSD=m
CONFIG_NFSD_V3=y
# CONFIG_NFSD_V4 is not set
# CONFIG_NFSD_TCP is not set


jolie:/mnt# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32770  nlockmgr
    100021    3   udp  32770  nlockmgr
    100021    4   udp  32770  nlockmgr
    100005    1   udp   4002  mountd
    100005    1   tcp   4002  mountd
    100005    2   udp   4002  mountd
    100005    2   tcp   4002  mountd
    100005    3   udp   4002  mountd
    100005    3   tcp   4002  mountd
    100024    1   udp    877  status
    100024    1   tcp    880  status


jolie:/mnt# cat /etc/fstab |grep nfs
10.10.10.3:/mnt/data   /mnt/lauschers-data nfs defaults,noauto,user,rsize=8192,wsize=8192        0  0


me@jolie:/mnt$ ls -l -d /mnt/lauschers-data/
drwxr-x---   18 me       mine         4096 Mar 22 12:26 /mnt/lauschers-data/


me@jolie:/mnt$ mount -v /mnt/lauschers-data/
10.10.10.3:/mnt/data on /mnt/lauschers-data type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=8192,addr=10.10.10.3,user=me)
me@jolie:/mnt$


me@jolie:/mnt$ ls -l -d /mnt/lauschers-data/
drwxr-x---   18 me       mine         4096 Mar 22 12:26 /mnt/lauschers-data/


me@jolie:/mnt$ ls -l /mnt/lauschers-data/|grep uni
drwxr-xr-x    9 me       mine         4096 Dec 24 00:54 uni


me@jolie:/mnt$ groups
mine root adm disk lp dialout cdrom floppy audio www-data src video prg data mp3 maildata newmp3 wg users lpadmin


me@jolie:/mnt$ chown me:users /mnt/lauschers-data/uni/
chown: changing ownership of `/mnt/lauschers-data/uni/': Operation not permitted


And last but not least I also checked:

jolie:/etc# diff /etc/group /etc/group.FILESERVER
jolie:/etc#
jolie:/etc# diff /etc/passwd /etc/passwd.FILESERVER
jolie:/etc#


WHY???????

--> Or is it that a normal user is not allowed in general to chown over nfs???

--> Or would nfs4 be a solution???

Any help is very appreciated!

By the way: In which state is nfs v4? - Its already more or less usable? <<< because from time to time I am looking at www.nfsv4.org, but there is sadly nothing written about the state of development of nfsv4...


Greetings

Knuth Posern.


P.S.: I hope I forgot no information... ;-)



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: nfs v3: chown not permitted

[Olaf Kirch]

On Mon, Mar 22, 2004 at 03:39:22PM +0100, foo@posern.org wrote:
> me@jolie:/mnt$ groups
> mine root adm disk lp dialout cdrom floppy audio www-data src video
> prg data mp3 maildata newmp3 wg users lpadmin

You have too many groups. SunRPC AUTH_UNIX authentication will transport
up to 16 groups, and "users" is item #19 in your list. "chgrp mp3"
would probably work, but users doesn't because the NFS server doesn't
see it in your list of groups.

Olaf
-- 
Olaf Kirch     |  Stop wasting entropy - start using predictable
okir@suse.de   |  tempfile names today!
---------------+ 


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Small patch to nfs.5 manpage

[Olaf Kirch]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

Hi Andries,

As the limitation on the number of auxiliary groups obviously
baffles people again and again, I thought it might be useful
to document this limitation in nfs(5).

Please find attached a small patch to nfs.5 that adds a small
section on NFS authentication. It also updates the manpage
slightly: cto and tcp are implemented now, and broken_suid
was missing.

Cheers,
Olaf
-- 
Olaf Kirch     |  Stop wasting entropy - start using predictable
okir@suse.de   |  tempfile names today!
---------------+ 

[-- Attachment #2: nfs-auth-doc.patch --]
[-- Type: text/plain, Size: 2544 bytes --]

--- util-linux-2.12/mount/nfs.5.okir	2004-03-22 16:26:31.000000000 +0100
+++ util-linux-2.12/mount/nfs.5	2004-03-22 16:43:38.000000000 +0100
@@ -213,10 +213,45 @@
 NFS version 3. (On NFS version 2 filesystems this option has no effect.)
 This option also deactivates the GETACL and SETACL remote procedure calls
 which are otherwise used to manipulate ACLs.
+.TP 1.5i
+.I broken_suid
+This option tries to help applications that are a little careless
+in dealing with effective vs real user and group ID. See below in
+section
+.IR "NFS Authentication" .
 .P
 All of the non-value options have corresponding nooption forms.
 For example, nointr means don't allow file operations to be
 interrupted.
+.SS NFS Authentication
+NFS currently supports only the AUTH_SYS RPC authentication flavor,
+which basically transmits the user's user and group ID to the server,
+along with the list of supplementary groups. However, this doesn't
+transport the full set of user credentials to the server, so that some
+operations may fail with a permission error, which would have succeeded
+on a local file system.
+.P
+One limitation of AUTH_SYS authentication is that not the full set of
+user and group ids are transmitted. By default, only the fsuid and fsgid
+and the auxiliary group vector are transmitted. (fsuid and fsgid mostly
+reflect the effective uid and gid, but can differ in special cases,
+see
+.BR setfsuid (2)
+for details).
+.P
+If this behavior causes certain applications to break, it may help to
+enable the
+.B broken_suid
+mount option. This tells the NFS client to retry an operation with
+the real uid and gid if it fails using the fsuid and fsgid.
+.P
+Another common problem occurs when users have a large number of
+auxiliary groups. The AUTH_SYS flavor limits the number of auxiliary
+groups that can be transmitted to 16. Additional groups are simply
+ignored, and may cause operations to fail which would otherwise be
+allowed based on the user's group membership.
+The only fix for this problem is to limit the number of groups the user
+is part of.
 .SH FILES
 .I /etc/fstab
 .SH "SEE ALSO"
@@ -224,11 +259,7 @@
 .SH AUTHOR
 "Rick Sladkey" <jrs@world.std.com>
 .SH BUGS
-The posix, and nocto options are parsed by mount
-but currently are silently ignored.
-.P
-The tcp and namlen options are implemented but are not currently
-supported by the Linux kernel.
+The posix option is parsed by mount but is currently ignored by the kernel.
 .P
 The umount command should notify the server
 when an NFS filesystem is unmounted.

Re: nfs v3: chown not permitted

[J. Bruce Fields]

On Mon, Mar 22, 2004 at 03:39:22PM +0100, foo@posern.org wrote:
> By the way: In which state is nfs v4? - Its already more or less
> usable? <<< because from time to time I am looking at www.nfsv4.org,
> but there is sadly nothing written about the state of development of
> nfsv4...

That website is for everyone involved in nfsv4, not just the linux
implementors.  For linux, you want:

http://www.citi.umich.edu/projects/nfsv4/linux/

Bug reports welcomed, to nfsv4-wg@citi.umich.edu.

Still marked experimental, but should do everything v3 does with a few
exceptions (e.g., reboot recovery, at least on the server side, is still
work in progress).

--Bruce Fields


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: nfs v3: chown not permitted

[Frank van Maarseveen]

On Mon, Mar 22, 2004 at 04:06:43PM +0100, Olaf Kirch wrote:
> On Mon, Mar 22, 2004 at 03:39:22PM +0100, foo@posern.org wrote:
> > me@jolie:/mnt$ groups
> > mine root adm disk lp dialout cdrom floppy audio www-data src video
> > prg data mp3 maildata newmp3 wg users lpadmin
> 
> You have too many groups. SunRPC AUTH_UNIX authentication will transport
> up to 16 groups, and "users" is item #19 in your list. "chgrp mp3"
> would probably work, but users doesn't because the NFS server doesn't
> see it in your list of groups.

The Linux 2.4 NFS client patch to bypass this limitation can be found here:

	http://frankvm.xs4all.nl/nfs-ngroups/

-- 
Frank


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs