Let’s say you want to setup group folder that’s available via nfs. However this time only a particulat Linux group is allowed to have read+write access to this folder. You can do this by ensuring the exported folder is owned by a group, and then setup the SGID. You can follow along this article using this vagrant project on Github.
Announcement
You can find all my latest posts on medium.We will walk through the following example:
+--------------------------+ +--------------------------+ | | | | | nfs-storage | | nfs-client | | (IP: 10.0.6.10) | | | | | | | | | | | | | | | | | | | | +-----------------+ | | +------------------+ | | | /nfs/hr_team |<--------------------->| /mnt/hr_team_nfs | | | +-----------------+ | | +------------------+ | | | | | | | | | | | | | +--------------------------+ +--------------------------+
The key thing here is that the Linux group that needs read-write access to the shared folder must exist on both machines. The same is true for the users.
Let’s create a couple of dummy users:
So we run the following on both boxes:
[root@nfs-storage ~]# useradd bob [root@nfs-storage ~]# useradd alice
and on the client box:
[root@nfs-client ~]# useradd bob [root@nfs-client ~]# useradd alice
Now lets create the group:
[root@nfs-storage nfs]# groupadd -g 8000 hr_team
Here you have to explicitly specify a gid. That’s because the group needs to have identify gid for both boxes. The gid has to be unique, if it isn’t then it’ll give an error message. Let’s now mirror this on the client:
[root@nfs-client ~]# groupadd -g 8000 hr_team
Now we add both user to the group:
[root@nfs-storage nfs]# usermod -aG hr_team bob [root@nfs-storage nfs]# usermod -aG hr_team alice [root@nfs-storage nfs]# cat /etc/group | grep 8000 hr_team:x:8000:bob,alice
And mirror this on the client:
[root@nfs-client ~]# usermod -aG hr_team bob [root@nfs-client ~]# usermod -aG hr_team alice [root@nfs-client ~]# cat /etc/group | grep 8000 hr_team:x:8000:bob,alice
Now let’s create the export:
[root@nfs-storage nfs]# mkdir -p /nfs/hr_team [root@nfs-storage nfs]# ll -dZ /nfs/hr_team/ drwxr-xr-x. nfsnobody hr_team unconfined_u:object_r:default_t:s0 /nfs/hr_team/
Next let’s sort out the SELinux security context:
[root@nfs-storage nfs]# semanage fcontext -a -t public_content_rw_t "/nfs/hr_team(/.*)?" [root@nfs-storage nfs]# restorecon -R /nfs/hr_team/ [root@nfs-storage nfs]# ll -dZ /nfs/hr_team/ drwxrwsr-x. nfsnobody hr_team unconfined_u:object_r:public_content_rw_t:s0 /nfs/hr_team/
tip: if you forget what the tags are called, run the following for a remindoer:
$ seinfo -t | grep public
At the moment this folder is owned and group owned by root:
[root@nfs-storage nfs]# ll /nfs/ total 0 drwxr-xr-x. 2 root root 6 Mar 12 18:06 hr_team
Now let’s set this to the new group:
[root@nfs-storage nfs]# chown -R nfsnobody:hr_team /nfs/hr_team [root@nfs-storage nfs]# ll /nfs total 0 drwxr-xr-x. 2 nfsnobody hr_team 6 Mar 12 18:06 hr_team
The nfsnobody user is a special reserved username used specifically for this purpose. Now we set the sgid flag:
[root@nfs-storage ~]# chmod g+rws hr_team/ [root@nfs-storage nfs]# ll -d /nfs/hr_team/ drwxrwsr-x. 2 nfsnobody hr_team 6 Mar 12 18:06 /nfs/hr_team/
Now we update /etc/exports to contain the following line:
[root@nfs-storage nfs]# cat /etc/exports /nfs/hr_team *(rw,no_root_squash)
Now we restart nfs deamon and check that our new group folder has been exported:
[root@nfs-storage nfs]# systemctl restart nfs-server [root@nfs-storage nfs]# showmount -e localhost Export list for localhost: /nfs/hr_team *
On the NFS client, we need to create a mount point:
[root@nfs-client ~]# mkdir -p /mnt/hr_team_nfs
And then add the following entry into the /etc/fstab
file:
10.0.6.10:/nfs/hr_team /mnt/hr_team_nfs nfs soft,timeo=100,_netdev,rw 0 0
Then do a mount all:
[root@nfs-client ~]# mount -a
Finally we can run mount
or findmnt
confirm that it has been mounted. Then try creating content as various users.
Note: uid values of the created users don’t matter. It’s just the group id that requires matching.
[post-content post_name=rhsca-quiz]
1. Use the groupadd command to create a group with identical name and gid value on both nfs-server and nfs-clients
2. On the nfs-server, use chown to make this new group the owner of the exported folder.
3. Use chmod to ensure group has full rwx access to the export folder. But ‘other’ has no access.
4. Use chmod to set the sgid permissions on the group. So that newly created content is owned by the right group.
5. On the client create/add-existing users to the group.
6. test group users can create files/folders inside the mount point.
$ groupadd -g 4005 admins
$ chmod g+s /nfs/hr_team
answer
answer
answer
answer