Learn how to resolve access denied issues in the NFS mount point. Understand how to root access is limited in NFS and no_root_squash to be used.
Access denied error in NFS share mount points when attempted to create file or directory even if
rw option is set while exporting.
I had a directory named
mydata which is exported from the NFS server. My
/etc/exports file looks like this –
root@kerneltalks # cat /etc/exports /mydata 10.0.2.34(rw,sync)
I mounted it on the NFS client
client1 successfully. I am able to read all data within this directory from the NFS client.
root@client1 # mount kerneltalks:/mydata /nfs_data root@client1 # ls -lrt /nfs_data
I am not able to create a file or directory in the NFS mount even if
rw option is set. I tried creating files, directory and I get access denied error.
root@client1 # cd /nfs_data root@client1 # touch testfile touch: cannot touch ‘testfile’: Access denied root@client1 # mkdir testdir mkdir: cannot create directory ‘testdir’: Access denied
By default, NFS prevents remote root users from gaining root-level privileges on its exports. It assigns user privileges of
nfsnobody user to remotely logged in root users. This is what happened here and hence even if
rw option is set, since we are using mount at root user we are not able to write any data on export.
This is called squashing root privileges to the normal ones. This to ensure accidental writing or modifying data on exports. You can set
all_squash option which will squash privileges of all remote users including root to normal user
For our issue, we have to set
no_root_squash option on export so that remote root user keeps his power intact and will be able to write on the exported directory.
I changed my
/etc/exports as below :
root@kerneltalks # cat /etc/exports /mydata 10.0.2.34(rw,sync,no_root_squash)
I re-exported directory using
exportfs. Re-exporting mount points does not require the client to un-mount exported directories. Re-export also avoid the NFS server restart and catch up with new configuration.
root@kerneltalks # exportfs -ra
That’s it! Now I am able to create files and directories in the exported directory on NFS client.
root@client1 # cd /nfs_data root@client1 # touch testfile root@client1 # mkdir testdir
When you are using NFS mount points with root account on client-side then export them with
no_root_squash option. This will ensure you don’t face access related issues on NFS mount points.