
1 基础知识
1.1 获取NFS映射帮助
man exports
可见如下章节,
User ID Mapping nfsd bases its access control to files on the server machine on the uid and gid provided in each NFS RPC request. The normal behavior a user would expect is that she can access her files on the server just as she would on a normal file system. This requires that the same uids and gids are used on the client and the server machine. This is not always true, nor is it always desirable. Very often, it is not desirable that the root user on a client machine is also treated as root when accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-called anonymous or nobody uid. This mode of operation (called `root squashing') is the default, and can be turned off with no_root_squash. By default, exportfs chooses a uid and gid of 65534 for squashed access. These values can also be overridden by the anonuid and anongid options. Finally, you can map all user requests to the anonymous uid by specifying the all_squash option. Here's the complete list of mapping options: root_squash Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sen‐ sitive, such as user bin or group staff. no_root_squash Turn off root squashing. This option is mainly useful for diskless clients. all_squash Map all uids and gids to the anonymous user. Useful for NFS-exported public FTP directories, news spool directories, etc. The opposite option is no_all_squash, which is the default setting. anonuid and anongid These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe).
1.2 参数解析
– 参数“root_squash”将客户端root(UID 0)用户的权限压缩为匿名用户(nobody或nfsnobody)权限
– 参数“no_root_squash”不将客户端root用户的权限压缩为匿名用户(nobody或nfsnobody)权限,即客户端使用root权限执行
– 参数“all_squash”将客户端所有用户的权限压缩为匿名用户(nobody或nfsnobody)权限
– 参数“anonuid”为客户端指定一个具体的NFS服务器本地UID
– 参数“anongid”为客户端指定一个具体的NFS服务器本地GID
2 最佳实践
2.1 配置NFS环境
NFS Server,
OS = RHEL 8.x x86_64
Host Name = sftp.cmdschool.org
IP Address = any
服务器环境请参阅如下配置,
NFS Client,
OS = Linux
Host Name = client.cmdschool.org
IP Address = 10.168.0.8
客户端需要使用如下命令安装NFS套件,
dnf install -y nfs-utils
2.2 配置NFS服务端映射
In NFS Server,
2.2.1 获取映射用户的UID和GID
id sftpUser01
可见如下显示,
uid=1035(sftpUser01) gid=1000(sftponly) groups=1000(sftponly)
2.2.2 创建映射配置
vim /etc/exports.d/client.cmdschool.org.exports
加入如下配置,
/data/sftp/sftpUser01/myhome 10.168.0.8/32(rw,sync,all_squash,anonuid=1035,anongid=1000)
注:将客户端所有用户的权限压缩为匿名用户的权限,并指定NFS服务器上的创建文件的用户UID和GID为sftpUser01的UID和GID
2.2.3 重启服务才能使配置生效
systemctl restart nfs-server
2.3 测试映射
2.3.1 挂载NFS
In NFS Client,
mount -t nfs -o rw,nfsvers=4.2 sftp.cmdschool.org:/data/sftp/sftpUser01/myhome /mnt/
2.3.2 创建测试文件
In NFS Client,
touch /mnt/testFile
2.3.3 查看创建文件的权限
In NFS Server,
ls -l /data/sftp/sftpUser01/myhome
可见如下权限显示,
#... -rw-r--r-- 1 sftpUser01 sftponly 0 Mar 27 08:22 testFile
没有评论