October 23, 201411 yr I'd like to restrict a share (using NFS) such that only one IP would be able to access the share. "/mnt/user/media" -async,no_subtree_check,fsid=101 *(sec=sys,rw,insecure,anongid=100,anonuid=99,all_squash) I guess I would need to replace the * with an IP above. Can I use exports- or must I do some sed voodoo in the go script and restart NFS on boot to accomplish this? I'm assuming if the exports- is used, when you restart the array/nfs those changes are lost in the real exports file? Really I need some sort of security with NFS, just unsure how to implement this. Thanks
October 23, 201411 yr You already see the issue with modifying the exports file via go script. You can enable username password authentication for the share(s) and include the authentication in the mount string on your client, but is plain text. Not sure how secure you want secure.
October 23, 201411 yr Author I don't think you can supply a password on the mount string with NFS. I seem to be having a hard time finding info on how to secure NFS.
October 24, 201411 yr Correct, it would be via uid/gid. I played around with it a little so not sure if the idea will work as intended, but you should be able to restrict to IP and a specific user using the rules available in the GUI when you select private for the NFS export. Set the share to NFS export private and a box should show up where you specify the export options. There you would specify the IP and options like 192.168.1.2(rw,anonuid=xxxx,anongid=xxx) where the xxx is the specific uid/gid which you can get via grep <unRAID user> /etc/passwd which will get you uid:gid. Might need to play with the squash options if you want to map to nobody vs. specific user depending on your requirements. The above is a basic example.
October 27, 201411 yr Author Correct, it would be via uid/gid. I played around with it a little so not sure if the idea will work as intended, but you should be able to restrict to IP and a specific user using the rules available in the GUI when you select private for the NFS export. Set the share to NFS export private and a box should show up where you specify the export options. There you would specify the IP and options like 192.168.1.2(rw,anonuid=xxxx,anongid=xxx) where the xxx is the specific uid/gid which you can get via grep <unRAID user> /etc/passwd which will get you uid:gid. Might need to play with the squash options if you want to map to nobody vs. specific user depending on your requirements. The above is a basic example. Thanks for the help, but still having problems. I've create a user on the unRAID server (192.168.1.99) and found the uid/gid as you described: bob:x:1000:100::/bin/false I've added the line to the share and set the share to private: 192.168.1.10(rw,anonuid=1000,anongid=100) Now, from 192.168.1.10, I use autofs with the following: media -rw,soft,nolock,intr,rsize=8192,wsize=8192 Tower:/mnt/user/media I am now the user 'bob' on 192.168.1.10, and I go into the media directory which is mounted correctly, I see files but cannot write: srv:/media/unraid-nfs/media$ touch test touch: cannot touch `test': Read-only file system Just so I understand, the user 'bob' does exist on the client but with a different uid/gid could that be the problem?
November 2, 201411 yr Late reply, was tdy with work. Your uid/gid will need to match or use a squash option. You can edit /etc/passwd on the client or server to make them match, but suggest reading up on that before doing it.
Archived
This topic is now archived and is closed to further replies.