Odi's astoundingly incomplete notes

If you think that root has universal privilege on the filesystem, then you may need to update your opinion.

Consider an NFS share for example that is exported from the server as:

/var/nfs 10.1.2.3(rw)

and the permissions on that directory are:

drwxrws---.  2 foo bar    6 Apr 15 17:33 nfs

On the client where that NFS share is mounted the directory looks innocuous (same as above). But when root tries to enter it

# cd /var/nfs
bash: cd: /var/nfs: Permission denied

What happens here? The NFS share uses root squashing, which will map the client's root user to the local anonymous user.
As the man page for exports explains:
Very often, it is not desirable that the root user on a client machine is also treated as root when accessing files on the NFS server. To this end, uid 0 is normally mapped to a different id: the so-called anonymous or nobody uid. This mode of operation (called 'root squashing') is the default, and can be turned off with no_root_squash.

So root being able to access almost everything is only true for "normal" filesystems, but a network filesystem or any other form of mount (fuse!) may behave differently althogether.
Beware of that fact when doing backups. Running backup as root may not be sufficient.

posted on 2021-04-16 08:39 UTC in Code | 0 comments | permalink