[opensuse] autofs mount permission problem
Hi I'll put the question first: Is there I way I can tell the automounter to respect the permissions of the folder it is mounting? Otherwise, here are the details: I'm exporting a folder like this: /etc/exports /home2/MARINA/staff *(rw,sec=none:sys:krb5:krb5i:krb5p,insecure) The staff folder has these permissions and has the home directories of staff members: drwxrwx--- 4 root staff On the client, here is /etc/auto.master /home2/MARINA/staff /etc/auto.misc and here is /etc/auto.misc * -rw,sec=krb5,vers=3 hh1:/home2/MARINA/staff rcautofs followed by mount shows: /etc/auto.misc on /home2/MARINA/staff type autofs (rw,relatime,fd=6,pgrp=4075,timeout=600,minproto=5,maxproto=5,indirect) Problem: On the client, the staff folder has become: drwxr-xr-x 3 root root The permissions remain even if the staff folder is accessed. Everyone has access. ANY folder I mount using autofs becomes drwxr-xr-x root root. Workarounds I've found: 1. Don't mount it directly: i.e. mount it implicitly as part of a parent folder. The problem there is that it defeats the object of having the autofs because the whole of the staff folder is mounted even if only one member of staff is logged in. 2. The big hammer: Run a script to chmod 0770 and chown root:staff on startup. Thanks, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 19/04/12 09:24, lynn wrote:
Hi
and here is /etc/auto.misc * -rw,sec=krb5,vers=3 hh1:/home2/MARINA/staff
Correction: * -rw,sec=krb5,vers=3 hh1:/home2/MARINA/staff/& Sorry L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-19 09:24, lynn wrote:
Hi
I'll put the question first: Is there I way I can tell the automounter to respect the permissions of the folder it is mounting?
The permissions of the empty folder on which a mount is done are ignored, they never apply to the mounted system. Rather, if the mounted filesystem is a Linux filesystem (ie, not a windows one), you have to apply permissions on the mount directory, subdirectories, and files once it is mounted - not before. If the filesystem is a Windows one, then the permissions are given on the command doing the mount, and apply to the entire filesystem. Individual file permissions do not apply. Then, if you export that filesystem via NFS, there is another set of permissions applied from the /etc/exports entry. The more restrictive applies. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+PzY4ACgkQIvFNjefEBxotTgCeOPsM6Ed9XI+dpDXB4LYND7X1 jBwAnRgfC+FOX9g9nLaav66uQ96u3TFb =v5nL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 19/04/12 10:32, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi
I'll put the question first: Is there I way I can tell the automounter to respect the permissions of the folder it is mounting? The permissions of the empty folder on which a mount is done are ignored,
On 2012-04-19 09:24, lynn wrote: they never apply to the mounted system. Rather, if the mounted filesystem is a Linux filesystem (ie, not a windows one), you have to apply permissions on the mount directory, subdirectories, and files once it is mounted - not before.
Hi The folders do not exist before autofs is started. There are no empty folders upon which to mount. The automounter creates them as a result of the contents of the indirect map before anyone has requested access. I have to manually change them to the correct permission, otherwise they retain the drwx xr x which the automounter has created, when the folder they are mounting is 0770. I've also tried creating the actual folders for the mountpoints with the correct permission and with nfs3 and nfs4 both with and without Kerberos: same results A normal nfs3 or 4 mount from the same server works fine. Any ideas? Salu2 L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-19 21:07, lynn wrote:
On 19/04/12 10:32, Carlos E. R. wrote:
Hi The folders do not exist before autofs is started. There are no empty folders upon which to mount. The automounter creates them as a result of the contents of the indirect map before anyone has requested access.
Ah.
I have to manually change them to the correct permission, otherwise they retain the drwx xr x which the automounter has created, when the folder they are mounting is 0770. I've also tried creating the actual folders for the mountpoints with the correct permission and with nfs3 and nfs4 both with and without Kerberos: same results
IF the filesystems you talk about are Linux native filesystems (ex: ext3) just allow them to mount, then change the permissions (inside). The next time you should get those same permissions. IF those filesystems are Windows filesystems you have to define the permissions every time, on the command line that mounts them or in fstab. I have no idea how to do that with automount. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QbqIACgkQIvFNjefEBxpH1gCgg4pLv1faeQ2jrONcu4TXS/K8 7sEAnj/doFGs5j+GqH0k3qeu9uR+BqGJ =OpzG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-04-19 21:07, lynn wrote:
On 19/04/12 10:32, Carlos E. R. wrote: IF the filesystems you talk about are Linux native filesystems (ex: ext3) just allow them to mount, then change the permissions (inside). The next time you should get those same permissions. It's NFS. As soon as the automounter is stopped, the mount disappears. The actual folder on the server already has the correct permissions. The
On 19/04/12 21:59, Carlos E. R. wrote: problem is that autofs changes them to 755 when mounted (but not on the unexported folder back on the server at least). Mounting the parent folder which contains /staff yields the correct permissions but defeats the object of autofs since the whole folder is mounted even though only one person is using it.
IF those filesystems are Windows filesystems you have to define the permissions every time, on the command line that mounts them or in fstab. I have no idea how to do that with automount.
That bit of it is fine. Samba 'just does it' :-) Must be missing something easy here. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-19 23:16, lynn wrote:
On 19/04/12 21:59, Carlos E. R. wrote:
IF the filesystems you talk about are Linux native filesystems (ex: ext3) just allow them to mount, then change the permissions (inside). The next time you should get those same permissions. It's NFS. As soon as the automounter is stopped, the mount disappears. The actual folder on the server already has the correct permissions.
Ah, this detail is very important.
The problem is that autofs changes them to 755 when mounted (but not on the unexported folder back on the server at least). Mounting the parent folder which contains /staff yields the correct permissions but defeats the object of autofs since the whole folder is mounted even though only one person is using it.
I can not understand that exporting over nfs can change permissions. Some can be restricted, like read-only, or root-squash, but...
IF those filesystems are Windows filesystems you have to define the permissions every time, on the command line that mounts them or in fstab. I have no idea how to do that with automount.
That bit of it is fine. Samba 'just does it' :-)
I'm not talking of samba, but of the underlying filesystem on the server. What type is it? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QgooACgkQIvFNjefEBxpC2ACgwUA8osvvqRBj9YsaCNoAj85A 6TYAoIYKm0AtymCnZengj8HEzNyN7zkL =2yQl -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 19/04/12 23:24, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-04-19 23:16, lynn wrote:
On 19/04/12 21:59, Carlos E. R. wrote:
That bit of it is fine. Samba 'just does it' :-) I'm not talking of samba, but of the underlying filesystem on the server. What type is it? Hi
NFS /etc/exports /home2/MARINA/staff *(rw,sec=krb5,whatever,else) CIFS smb.conf kerberos method = system keytab [staff] path = /home2/MARINA/staff read only = no whatever = else Underlying filesystem (the hardware?? what 12.1 put on it? ext4) fstab /dev/disk/by-id/u-MAXTOR_078A0DB1005E-0:0-part1 ext4 acl,user_xattr 1 1 Yes? Salu2, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-04-20 00:09, lynn wrote:
On 19/04/12 23:24, Carlos E. R. wrote:
NFS /etc/exports /home2/MARINA/staff *(rw,sec=krb5,whatever,else)
I'm not familiar with kerberos, but... are whatever and else the actual parameters you use? I don't see them in the exports manual.
Underlying filesystem (the hardware?? what 12.1 put on it? ext4)
Yes, ext4. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEUEARECAAYFAk+Qlx4ACgkQIvFNjefEBxrWaQCfVbx9/tQgfjY8X46KIxh5wtOE FnkAmL+YEy5/4qGKszI8Y8DAjTozs9g= =/7sH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/19/2012 09:24 AM, lynn wrote:
Hi
I'll put the question first: Is there I way I can tell the automounter to respect the permissions of the folder it is mounting?
Otherwise, here are the details: I'm exporting a folder like this: /etc/exports /home2/MARINA/staff *(rw,sec=none:sys:krb5:krb5i:krb5p,insecure)
I'd consider this as a security feature that the autofs mount point is 755. So for your case: why not export the parent, /home2/MARINA ? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 19/04/12 22:34, Bernhard Voelker wrote:
On 04/19/2012 09:24 AM, lynn wrote:
Otherwise, here are the details: I'm exporting a folder like this: /etc/exports /home2/MARINA/staff *(rw,sec=none:sys:krb5:krb5i:krb5p,insecure)
I'd consider this as a security feature that the autofs mount point is 755. So for your case: why not export the parent, /home2/MARINA ?
Have a nice day, Berny
Hi If I do that, then the whole staff folder is mounted, even if only one person is using it. But yes, it mounts correctly then. It's just the folder itself which needs to be 770. Only staff should be allowed in. Everything inside is 755. What about my workaround of changing to 770 right after the automounter is started? L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/19/2012 05:02 PM:
If I do that, then the whole staff folder is mounted, even if only one person is using it.
Right. You don't want that. If *only* 'lynn' is logged in you don't want the 'tom', 'dick', 'harry' and 'george' folders mounted :-) But the problem is that you are mounting directly under home. I've always mounter at /mnt/server/home/ and had a symlink from /home/anton/ to /mnt/server/home/anton/ Well, OK, in some cases I have a minimal skeleton at /mnt/home/anton and everything else symlinked to stuff like /mnt/server/home/anton/Documents Why would I do that? Well it uses *exactly* the same setup in the automounter but by using the symlinks I have a fall-back whereby I can log in and get something even when the network fails ... In your case you could also set up a link from /home2/lynn2/Documents to /mnt/server/home/lynn/Documents and so forth :-) Why? Apart from 'sharing' it also lets you do a whole class of testing. I would *never* mount directly on /home/... the way you are doing. -- Capitalism is the astounding belief that the most wickedest of men will do the most wickedest of things for the greatest good of everyone. --John Maynard Keynes -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 19/04/12 23:38, Anton Aylward wrote:
lynn said the following on 04/19/2012 05:02 PM:
If I do that, then the whole staff folder is mounted, even if only one person is using it. Right. You don't want that. If *only* 'lynn' is logged in you don't want the 'tom', 'dick', 'harry' and 'george' folders mounted :-) Exactly:-)
But the problem is that you are mounting directly under home. The home directories of staff users are defined in LDAP as: /home2/MARINA/staff/lynn
I've always mounter at /mnt/server/home/ and had a symlink from /home/anton/ to /mnt/server/home/anton/ But in my case, it would have to be the other way around. I would mount /home2/MARINA/staff from the server to /mnt/home2/MARINA/staff and symlink from the latter to /home2/MARINA/home2/lynn
That would need a conventional NFS mount to symlink from no?
Well, OK, in some cases I have a minimal skeleton at /mnt/home/anton and everything else symlinked to stuff like /mnt/server/home/anton/Documents
Why would I do that? Well it uses *exactly* the same setup in the automounter but by using the symlinks I have a fall-back whereby I can log in and get something even when the network fails ...
In this case /home2/MARINA/staff does not exist until autofs is started. If /mnt goes, I still get nothing even if /home2/MARINA/staff/lynn existed physically on the client. Which it doesn't. Thanks, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/20/2012 12:29 AM, lynn wrote:
But the problem is that you are mounting directly under home. The home directories of staff users are defined in LDAP as: /home2/MARINA/staff/lynn
I think it works if you have symlinks to the real home directories in the staff diectory, e.g.: /home2/MARINA/staff/lynn -> ../../homes/lynn and HOME physically here: /home2/MARINA/homes/lynn Then you need 2 exports for staff and homes. But I still don't get the point about g+w for staff: every user in the group could e.g. remove the above symlink! What should this be good for? I don't know of a well administered *NIX box where the parent directory of any $HOME is writeable by someone else than root. There must be a good reason for it ... Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
lynn said the following on 04/19/2012 06:29 PM:
I've always mounter at /mnt/server/home/ and had a symlink from /home/anton/ to /mnt/server/home/anton/
But in my case, it would have to be the other way around. I would mount /home2/MARINA/staff from the server to /mnt/home2/MARINA/staff and symlink from the latter to /home2/MARINA/home2/lynn
That would need a conventional NFS mount to symlink from no?
Mo, other way round. You symlink *TO* where the NFS is mounted. This example is from the second case I described where I have a minimal template in place on a machine running fedora and a very small disk, and the 'real' stuff on a server. My laptop, when its docked, has similar links $ ls -l /home/anton/ [snip] drwxrwxr-x. 3 anton user 4096 Oct 12 2011 bin lrwxrwxrwx. 1 anton user 22 Sep 15 2011 Documents -> /mnt/server/anton/Documents/ lrwxrwxrwx. 1 anton user 22 Sep 15 2011 Downloads -> /mnt/server/anton/Downloads/ drwxrwxr-x. 4 anton user 4096 Oct 12 2011 lib lrwxrwxrwx. 1 anton user 17 Sep 14 2011 Media -> /mnt/server/anton/Media lrwxrwxrwx. 1 anton user 15 Sep 14 2011 PDF -> /mnt/server/anton/PDF drwxr-xr-x. 2 anton user 4096 Sep 14 2011 Templates You could set this up as a test using your local 'lynn2' account Please note that I don't have a '/mnt/server/<machine>/home/' in there. The automounter could handle additional levels of indirection if needed, but all the 'homes' (well actually subtrees) are on the one server. I suggest you don't try playing with automounter indirection! The automounter mounts server:/home/anton on localhost:/mnt/server/anton You probably want to mount server:/home2/MARINA/staff/ on localhost:/mnt/server/staff/ You want to have localhost:/mnt/server/staff/ already created as a directory - which is how I have it on the fedora machine. I don't know about ubuntu. Now set up a symlink _from_ localhost:/home2/MARINA/staff/lynn/ _to_ /mnt/server/staff/lynn/ I don't know why you have that 'MARINA' in there and its possible there is confusion with /home/ and /home2/ is all of this. It is to avoid that confusion that I *NEVER* mount directly under /home and why I have a basic template and mount the 'roving shares' explicitly. Once I have that all worked and prove it works I can change my symlinks "up one level'. you've managed to do things in an awkward way that gives you no room for flexibility and experimentation. You have what is sometimes termed "Big bang" deliver. It either works or it doesn't and you've got no room to play with because you've done an all or nothing commit in the way you overlay the 'real' home. By mounting on /mnt/server/ I can play with ways of symlinking or using 'mount --bind' or 'mount --rbind'. I've got room to try different approaches. -- "...Then anyone who leaves behind him a written manual, and likewise anyone who receives it, in the belief that such writing will be clear and certain, must be exceedingly simple-minded..." -- Plato, _Phaedrus_ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward
-
Bernhard Voelker
-
Carlos E. R.
-
lynn