March 12, 2018

NFS – Set up private group folders

Let’s say you want to setup group folder that’s available via nfs. However this time only a particulat Linux group is allowed to have read+write access to this folder. You can do this by ensuring the exported folder is owned by a group, and then setup the SGID. You can follow along this article using this vagrant project on Github.


You can find all my latest posts on medium.

We will walk through the following example:

+--------------------------+              +--------------------------+
|                          |              |                          |
|       nfs-storage        |              |        nfs-client        |
|     (IP:      |              |                          |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
|   +-----------------+    |              |   +------------------+   |
|   | /nfs/hr_team    |<--------------------->| /mnt/hr_team_nfs |   |
|   +-----------------+    |              |   +------------------+   |
|                          |              |                          |
|                          |              |                          |
|                          |              |                          |
+--------------------------+              +--------------------------+

The key thing here is that the Linux group that needs read-write access to the shared folder must exist on both machines. The same is true for the users.

Let’s create a couple of dummy users:

So we run the following on both boxes:

[root@nfs-storage ~]# useradd bob
[root@nfs-storage ~]# useradd alice

and on the client box:

[root@nfs-client ~]# useradd bob
[root@nfs-client ~]# useradd alice

Now lets create the group:

[root@nfs-storage nfs]# groupadd -g 8000 hr_team

Here you have to explicitly specify a gid. That’s because the group needs to have identify gid for both boxes. The gid has to be unique, if it isn’t then it’ll give an error message. Let’s now mirror this on the client:

[root@nfs-client ~]# groupadd -g 8000 hr_team

Now we add both user to the group:

[root@nfs-storage nfs]# usermod -aG hr_team bob
[root@nfs-storage nfs]# usermod -aG hr_team alice
[root@nfs-storage nfs]# cat /etc/group | grep 8000

And mirror this on the client:

[root@nfs-client ~]# usermod -aG hr_team bob
[root@nfs-client ~]# usermod -aG hr_team alice
[root@nfs-client ~]# cat /etc/group | grep 8000

Now let’s create the export:

[root@nfs-storage nfs]# mkdir -p /nfs/hr_team
[root@nfs-storage nfs]# ll -dZ /nfs/hr_team/
drwxr-xr-x. nfsnobody hr_team unconfined_u:object_r:default_t:s0 /nfs/hr_team/

Next let’s sort out the SELinux security context:

[root@nfs-storage nfs]# semanage fcontext -a -t public_content_rw_t  "/nfs/hr_team(/.*)?"
[root@nfs-storage nfs]# restorecon -R /nfs/hr_team/
[root@nfs-storage nfs]# ll -dZ /nfs/hr_team/
drwxrwsr-x. nfsnobody hr_team unconfined_u:object_r:public_content_rw_t:s0 /nfs/hr_team/

tip: if you forget what the tags are called, run the following for a remindoer:

$ seinfo -t | grep public

At the moment this folder is owned and group owned by root:

[root@nfs-storage nfs]# ll /nfs/
total 0
drwxr-xr-x. 2 root root  6 Mar 12 18:06 hr_team

Now let’s set this to the new group:

[root@nfs-storage nfs]# chown -R nfsnobody:hr_team /nfs/hr_team
[root@nfs-storage nfs]# ll /nfs
total 0
drwxr-xr-x. 2 nfsnobody hr_team  6 Mar 12 18:06 hr_team

The nfsnobody user is a special reserved username used specifically for this purpose. Now we set the sgid flag:

[root@nfs-storage ~]# chmod g+rws hr_team/
[root@nfs-storage nfs]# ll -d /nfs/hr_team/
drwxrwsr-x. 2 nfsnobody hr_team 6 Mar 12 18:06 /nfs/hr_team/

Now we update /etc/exports to contain the following line:

[root@nfs-storage nfs]# cat /etc/exports
/nfs/hr_team    *(rw,no_root_squash)

Now we restart nfs deamon and check that our new group folder has been exported:

[root@nfs-storage nfs]# systemctl restart nfs-server
[root@nfs-storage nfs]# showmount -e localhost
Export list for localhost:
/nfs/hr_team *

On the NFS client, we need to create a mount point:

[root@nfs-client ~]# mkdir -p /mnt/hr_team_nfs

And then add the following entry into the /etc/fstab file:   /mnt/hr_team_nfs   nfs    soft,timeo=100,_netdev,rw   0   0

Then do a mount all:

[root@nfs-client ~]# mount -a

Finally we can run mount or findmnt confirm that it has been mounted. Then try creating content as various users.

Note: uid values of the created users don’t matter. It’s just the group id that requires matching.

[post-content post_name=rhsca-quiz]

What are the steps involved in configuring an nfs export into a private group folder?

1. Use the groupadd command to create a group with identical name and gid value on both nfs-server and nfs-clients
2. On the nfs-server, use chown to make this new group the owner of the exported folder.
3. Use chmod to ensure group has full rwx access to the export folder. But ‘other’ has no access.
4. Use chmod to set the sgid permissions on the group. So that newly created content is owned by the right group.
5. On the client create/add-existing users to the group.
6. test group users can create files/folders inside the mount point.

What is the command to create a group called 'admins' with the gid of 4005?

$ groupadd -g 4005 admins

what is the command to set the sgid on the folder /nfs/hr_team?

$ chmod g+s /nfs/hr_team