Learn how to resolve access denied issues in the NFS mount point. Understand how to root access is limited in NFS and no_root_squash to be used.
Current setup
Access denied error in NFS share mount points when attempted to create file or directory even if rw
option is set while exporting.
I had a directory named mydata
which is exported from the NFS server. My /etc/exports
file looks like this –
root@kerneltalks # cat /etc/exports
/mydata 10.0.2.34(rw,sync)
I mounted it on the NFS client client1
successfully. I am able to read all data within this directory from the NFS client.
root@client1 # mount kerneltalks:/mydata /nfs_data
root@client1 # ls -lrt /nfs_data
Issue
I am not able to create a file or directory in the NFS mount even if rw
option is set. I tried creating files, directory and I get access denied error.
root@client1 # cd /nfs_data
root@client1 # touch testfile
touch: cannot touch ‘testfile’: Access denied
root@client1 # mkdir testdir
mkdir: cannot create directory ‘testdir’: Access denied
Solution
By default, NFS prevents remote root users from gaining root-level privileges on its exports. It assigns user privileges of nfsnobody
user to remotely logged in root users. This is what happened here and hence even if rw
option is set, since we are using mount at root user we are not able to write any data on export.
This is called squashing root privileges to the normal ones. This to ensure accidental writing or modifying data on exports. You can set all_squash
option which will squash privileges of all remote users including root to normal user nfsnobody
.
For our issue, we have to set no_root_squash
option on export so that remote root user keeps his power intact and will be able to write on the exported directory.
I changed my /etc/exports
as below :
root@kerneltalks # cat /etc/exports
/mydata 10.0.2.34(rw,sync,no_root_squash)
I re-exported directory using exportfs
. Re-exporting mount points does not require the client to un-mount exported directories. Re-export also avoid the NFS server restart and catch up with new configuration.
root@kerneltalks # exportfs -ra
That’s it! Now I am able to create files and directories in the exported directory on NFS client.
root@client1 # cd /nfs_data
root@client1 # touch testfile
root@client1 # mkdir testdir
Conclusion
When you are using NFS mount points with root account on client-side then export them with no_root_squash
option. This will ensure you don’t face access related issues on NFS mount points.
Share Your Comments & Feedback: