On 10/12/2020 09:10, Mark Fletcher wrote: > On Wed, Dec 09, 2020 at 03:54:10PM -0500, Dan Ritter wrote: >> Paul M Foster wrote: >>> I have two users on the client: paulf 1000 and nancyf 1001. On the >>> server, I have two users: pi 1000 and paulf 1001. I can mount the NFS >>> share from the server to /mnt on my client. But any files belonging to >>> me (user 1001 on the server) look like they belong to nancy (user 1001 >>> on the client. More importantly, if I copy files to this share from the >>> client, they will look like they belong to pi (user 1000) on the server. >>> >>> Is there some way in the /etc/exports file to adjust the parameters so >>> that files retain my ownership on the server? >> You're looking for userid mapping, handled by idmapd. >> >> Your best long-term solution is to make the userids consistent >> across machines by making a decision about who will be 1000, >> 1001 and 1002, and then changing /etc/passwd and running >> suitable "chown -R" commands, probably followed by find >> commands. >> >> Debian automatically starts user numbering at 1000, so it's a >> good idea to have a consistent install username, if you can >> arrange it. >> > > This brings up an interesting thought. In the situation where you align > user IDs across a number of machines for ths purpose, you'll inevitably > end up with situations where users are created on some of the machines > only for the purpose of keeping the IDs in synch so they can all play > nice with the NFS. Left alone, having unneeded users on a given machine > could be a security threat, at least in the sense that it provides a > greater than necessary attackable surface area. What can be done about > that? Obviously one thing would be setting the shell to /dev/null in the > password file of those machines that don't need a given user, to prevent > interactive logins. What else could be done? Is there a way to put an > account "beyond use", in any way including su, sudo etc, while still > having the machine recognise the user for being a user and therefore not > messing up the mapping of user IDs on shared resources like NFS? In > other words, create the sense of "yes this user exists, but they are not > welcome here"?
If you're getting to the stage of managing multiple users over multiple machines, then you probably want to look at a central identity management solution. That could be as simple as NIS, or OpenLDAP or if you things a bit more "boxed up", FreeIPA. I have several computers (a mixture of physical and virtual) at home and just two humans, but FreeIPA allows us to define our users once (username/password/etc) and have that user able to log onto any FreeIPA-joined PC. Users can be added to groups, they can even be granted permissions using the RBAC and HBAC capabilities of FreeIPA (Role- and Host-base Access Control).
OpenPGP_signature
Description: OpenPGP digital signature