All of lore.kernel.org
 help / color / mirror / Atom feed
From: Valentijn Sessink <v.sessink@openoffice.nl>
To: linux-nfs@vger.kernel.org
Subject: Re: no_root_squash (and valid KRB root-ticket)
Date: Wed, 17 Nov 2010 11:51:37 +0100	[thread overview]
Message-ID: <4CE3B3B9.8040208@openoffice.nl> (raw)
In-Reply-To: <4CE294DD.6010508@blub.net>

Valentijn Sessink schreef:
> http://www.unix-info.org/nfsV4_howto_.txt that says that there is "no
> proper mapping between root and the GSSAuthName";

The gssd man page says:

``By default, rpc.gssd treats accesses by the user with UID 0 specially,
 and uses "machine credentials" for all accesses by that
user which require Kerberos authentication.  With the -n option,
"machine  credentials"  will  not be used for accesses by UID 0.
Instead, credentials must be obtained manually  like  all  other users.
  Use  of  this  option  means  that "root" must manually obtain
Kerberos credentials before attempting to  mount  an  nfs filesystem
requiring Kerberos authentication.''

That - sort of - answers the question: I'm being held for a machine.

A bit odd is, that I can be root on the share by using root's
credentials from within another UID (because technically, your Kerberos
login is just a way to map your local user ID to the server's user ID):

root@host32:~# su - adam
No directory, logging in with HOME=/
adam@host32:/$ kinit root
root@KERBEROS.DOMAIN's Password:
adam@host32:/$ cd /home/
adam@host32:/home$ touch file
adam@host32:/home$ ls -al file
-rw-rw-r--  1 root root    0 2010-11-17 11:28 file

On the server, "file" is also owned by root:root. So you can be root,
but not as root. (And if "adam" logs in to host32 shortly after our
excercise, he will be pleasantly surprised to see that he owns
everything on /home - although this will turn out to be a sort of King
Midas' touch, because on next login, the cached UID mapping will long be
forgotten and he won't be able to access all those documents owned by
root...)

Final question: having seen the gssd page, I don't think there's a way
for "root" on the local machine to have root rights on the server, or is
there? (Having to get manual kerberos credentials to mount /home, with
the "-n" switch, is not an option).

Valentijn
-- 
http://www.openoffice.nl/   Open Office - Linux Office Solutions
Valentijn Sessink  v.sessink@openoffice.nl  +31(0)20-4214059

  parent reply	other threads:[~2010-11-17 10:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-16 14:27 no_root_squash (and valid KRB root-ticket) Valentijn Sessink
2010-11-16 18:30 ` J. Bruce Fields
2010-11-16 19:52   ` Valentijn Sessink
2010-11-16 23:54     ` Kevin Coffman
2010-11-17 10:51 ` Valentijn Sessink [this message]
2010-11-17 14:26   ` Kevin Coffman
2010-11-18  9:59     ` Valentijn Sessink
2010-11-18 14:25       ` Kevin Coffman
2010-11-18 15:07         ` Valentijn Sessink
2010-11-18 15:27           ` Kevin Coffman
2010-11-18 17:46             ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CE3B3B9.8040208@openoffice.nl \
    --to=v.sessink@openoffice.nl \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.