On 04/20/10 11:34 AM, lattera wrote:
Ah. That makes perfect sense. What I did, then, was give the user
"nobody" read access to /tank/shares/shawn. I could then mount that
share on the client. On the client, I created a test file and that
file ended up being owned as "shawn". This allows the user nobody to
get a directory listing on the share, but that's fine. It locks out my
other users from seeing my files. No one should be logging in as nobody.
Thanks for all your help. I really wish this was a bit more well-known
and well-documented.
Here's what I did:
r...@sully:~# chmod A+user:nobody:read_set:allow /tank/shares/shawn
I'm still not sure you have what you want here.
This effectively states that if I set my NFSv4 domain to be something
other than what is on the server, then every user from that client will
have read access to the directory.
Also, every "root" account and/or account which is not in the server's
/etc/passwd will have read access to this directory.
What might work here is to share tank/shares with an ACL that
allows "nobody" to access it. Or no ACl at all.
That will allow you access and also keep people out of your directory.
[r...@pnfs-4-03 /]> ls -vd sign
drwxrwxrwx 3 th199096 staff 3 Apr 12 13:15 sign
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@::deny
3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
4:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
[r...@pnfs-4-03 /]> ls -vd sign/notme/
d---------+ 2 th199096 root 3 Apr 20 10:41 sign/notme/
0:user:th199096:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
[r...@pnfs-4-03 /]> share
-...@alpo /alpo anon=0,sec=sys,rw ""
-...@alpo /alpo/fs1 anon=0,sec=sys,rw ""
-...@alpo /alpo/fs2 anon=0,sec=sys,rw ""
-...@alpo /alpo/fs3 anon=0,sec=sys,rw ""
-...@alpo /alpo/fs4 anon=0,sec=sys,rw ""
-...@sign /sign anon=0,sec=sys,rw ""
-...@sign/notme /sign/notme rw ""
[th199...@pnfs-4-04 ~]> cd /net/pnfs-4-03
[th199...@pnfs-4-04 pnfs-4-03]> ls -la
total 4
dr-xr-xr-x 3 root root 3 Apr 20 10:41 .
dr-xr-xr-x 2 root root 2 Apr 19 14:13 ..
dr-xr-xr-x 1 root root 1 Apr 20 10:41 alpo
dr-xr-xr-x 1 root root 1 Apr 20 10:41 sign
[th199...@pnfs-4-04 pnfs-4-03]> cd sign/
[th199...@pnfs-4-04 sign]> ls -la
total 7
drwxrwxrwx 3 th199096 staff 3 Apr 12 13:15 .
dr-xr-xr-x 3 root root 3 Apr 20 10:41 ..
d---------+ 2 th199096 root 2 Apr 12 13:15 notme
[th199...@pnfs-4-04 sign]> cd notme/
[th199...@pnfs-4-04 notme]> ls -la
total 6
d---------+ 2 th199096 root 2 Apr 12 13:15 .
drwxrwxrwx 3 th199096 staff 3 Apr 12 13:15 ..
[th199...@pnfs-4-04 notme]> touch foo
[th199...@pnfs-4-04 notme]> ls -la foo
-rw-r--r--+ 1 th199096 staff 0 Apr 20 10:41 foo
[th199...@pnfs-4-04 notme]> nfsstat -m `pwd`
/net/pnfs-4-03/sign/notme from pnfs-4-03:/sign/notme
Flags:
vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,mirrormount,rsize=1048576,wsize=1048576,retrans=5,timeo=600
Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60
Try this type of hierarchy and see if it is safer.
_______________________________________________
nfs-discuss mailing list
[email protected]
