TechnicalMap nfs clients to user

  

Press Ctrl+Enter to quickly submit your post
Quick Reply  
 
 
  
 From:  CHYRON (DSMITHHFX)   30 Jun 2016 18:41 
 To:  ALL 1 of 20 
41773.1 
/etc/idmapd.conf

WTF does it do?
 
Quote: 
Nobody-User = nobody Nobody-Group = nogroup
I've exported the webroot of a server, and lan clients (folks who need access) can open without login. Fine.

*But* I want to assign specific user+group to files they write. (pray)

Tried changing ^^^ nobody/nogroup to myuser/mygroup, but files are still nobody/nogroup

Is it possible?
electric eels can leap out of water and shock you
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   4 Jul 2016 13:49 
 To:  ALL 2 of 20 
41773.2 
I managed to get latest netatalk to compile and install on my amd64 Ubuntu 14.04 vm, so I don't need the nfs user stuff resolved (remains to be seen if it will install to ppc metal version).

Now I gotta new question, which (I hope) may be a generic unix -y question rather than specific to afp:

Is there a way to force files written to a particular share to have a different group (which the user is a member of), e.g. 'joe/www-data', rather than the user's default group (e.g. 'joe/joe') ?

edit: chmod 2775  (taboo)
driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 14:24 
 To:  CHYRON (DSMITHHFX)      3 of 20 
41773.3 In reply to 41773.2 
If you `chmod g+s` a directory then all newly created files in that directory will inherit the directory's group rather than the primary group of the user who creates the file.

Couple of caveats: This won't change the *owner* ID of the new file, just the group ID.

Also this won't apply to files that are moved or copied, only newly created ones. Which I suspect will make it useless?

I don't believe there's a way to change ownership/group of files that are copied into a directory on the fly - for that you'd have to use something on a cron job/systemd timer or something like that.

It *sounds* like you're tying to make a website's files available for editing or something like that, right? But want to keep the web server reasonably secure, not giving it access to a load of shit outside of web root?

I *believe* you could do something suitable with ACLs but you'd need a recent version of NFS (v4) for that to work and you're on an old-ass Ubuntu. (Also, it sounds fucking complicated).

Personally I'd use a third, unprivileged user with the primary group www-data to edit the files but that might not be practicable in your situation.

Failing that, chmod g+s (look up setgid if you want more info) combined with a job on a timer to take care of any copied/moved files might be the simplest.

*Really* though, it sounds like you're trying to use NFS for what Git is good at. What I'd *really* want to do is set up a git repo on the same machine as the web server to which changes to the website are pushed. Then set up some git hooks on that repo to, when stuff is changed, copy or clone/pull everything into web root and set the correct permissions. This would be neater and less prone to fucking up.


 
 
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 14:28 
 To:  CHYRON (DSMITHHFX)      4 of 20 
41773.4 In reply to 41773.2 
>edit: chmod 2775  

Yeah, that's the same as chmod g+s. Same caveat - won't work with copied/moved files.
 
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   4 Jul 2016 14:49 
 To:  Drew (X3N0PH0N)      5 of 20 
41773.5 In reply to 41773.4 
Just tried it on the afp share, it works for copied files too. Apparently it's an apple [/BSD] default. Kind of gave up on the nfs thing, I never had it (force uid/gid) working on the current dev server anyway. Not gonna install and config kerberos shit just for that  :-(
driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 14:52 
 To:  CHYRON (DSMITHHFX)      6 of 20 
41773.6 In reply to 41773.5 
Yeah, NFS can be more of a pain in the arse than it really should be for something so simple. I had NFS shares set up for a while but it would just randomly flake out. I went back to SSHFS which has always just worked flawlessly for me.

Glad you got it sorted though!
 
0/0
 Reply   Quote More 

 From:  ANT_THOMAS   4 Jul 2016 15:03 
 To:  Drew (X3N0PH0N)      7 of 20 
41773.7 In reply to 41773.6 
No idea whether speed is a concern, but is SSHFS much slower than SMB or NFS? Due to encryption/decryption, though that might only be an issue with a crap CPU.
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   4 Jul 2016 15:10 
 To:  ANT_THOMAS      8 of 20 
41773.8 In reply to 41773.7 
Never tried SSHFS (actually, never heard of it), but afp is a lot slower than nfs. Fast enough for generic daily r-w usage, but for e.g. backups I use nfs.
driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  ANT_THOMAS   4 Jul 2016 15:14 
 To:  CHYRON (DSMITHHFX)      9 of 20 
41773.9 In reply to 41773.8 
Literally SSH Filesystem. I guess pretty much the same as scp but fully mounted rather than individual copy commands.

I found that the encryption slowed things down with scp and big files, but that was on a system with a weak CPU. Changing the encryption type/strength improved speeds significantly. This was also over the internet - dedicated server to home, but I could max the connection over HTTP.
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   4 Jul 2016 15:28 
 To:  ANT_THOMAS      10 of 20 
41773.10 In reply to 41773.9 
Quote: 
Literally SSH Filesystem

Ah. Didn't recognize it, I was thinking SS + HFS (for macs). Pretty sure I do use it, to mount the webroot from home (since it doesn't have ftp). Set it up a couple of years ago and forgot/don't think about the network protocol used). Yeah, it is really slow. Good to know you can change that though I doubt I'll ever need to.

driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 16:12 
 To:  ANT_THOMAS      11 of 20 
41773.11 In reply to 41773.7 
It's definitely slower (in *theory* at least, I've not actually noticed it being slower and you can choose to specify very weak encryption), yeah. And uses a userspace driver, which is annoying.

I really wish there were a *simple*, *insecure* (I don't care, this is for home use and behind a NAT, I just want it to be fast) file sharing protocol that used a decent driver. Samba's fucking awful, NFS is (ime) flaky and SSHFS is the closest I've found to something that just works and stays working.
 
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 16:14 
 To:  ANT_THOMAS      12 of 20 
41773.12 In reply to 41773.7 
Although, yeah, thinking about it, once the keys are open and verified, which should be a one-time thing on a mounted FS, then it's just a case of hashing which modern CPUs can do essentially for free. So maybe it's not actually any slower (I've never actually tested and I kinda don't know what I'm taking about).
 
0/0
 Reply   Quote More 

 From:  ANT_THOMAS   4 Jul 2016 16:22 
 To:  Drew (X3N0PH0N)      13 of 20 
41773.13 In reply to 41773.12 
Just checked, the dedicated server is running an Intel Celeron 220 (nearly 9 years old), no wonder it struggles with regular SSH transfers without tweaking the level of encryption.
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   4 Jul 2016 20:22 
 To:  ANT_THOMAS      14 of 20 
41773.14 In reply to 41773.13 
:D
 
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   6 Jul 2016 13:43 
 To:  Drew (X3N0PH0N)      15 of 20 
41773.15 In reply to 41773.6 
I got this working in nfs. It actually is pretty simple, you just have to add anonuid=,anongid= to the export line
Quote: 
anonuid and anongid These options explicitly set the uid and gid of the anonymous account. This option is primarily useful for PC/NFS clients, where you might want all requests appear to be from one user. As an example, consider the export entry for /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe).
Quote: 
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
http://manpages.ubuntu.com/manpages/wily/man5/exports.5.html
driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  Drew (X3N0PH0N)   6 Jul 2016 14:09 
 To:  CHYRON (DSMITHHFX)      16 of 20 
41773.16 In reply to 41773.15 
Oh that's very handy, thanks!
 
0/0
 Reply   Quote More 

 From:  ANT_THOMAS   6 Jul 2016 14:13 
 To:  CHYRON (DSMITHHFX)      17 of 20 
41773.17 In reply to 41773.15 
That is handy. Love Linux, hate permissions.
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   6 Jul 2016 14:23 
 To:  ANT_THOMAS      18 of 20 
41773.18 In reply to 41773.17 
permissions I can deal with, selinux drives me insane.
driver killed while using autopilot was watching Harry Potter
0/0
 Reply   Quote More 

 From:  Manthorp   7 Jul 2016 12:19 
 To:  ANT_THOMAS      19 of 20 
41773.19 In reply to 41773.17 
Amen to that.  I expect Apple to treat their users as if they are Luddites with an instinct for self-harm, but Linux is open source and tinkerable, and the assumption should be that people will tinker with it.  Obliging them to type 'Simon says' before any change can be effected is irritating beardy paranoioa.
"We all have flaws, and mine is being wicked."
James Thurber, The Thirteen Clocks 1951
 
+1/1
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)   7 Jul 2016 13:48 
 To:  Manthorp      20 of 20 
41773.20 In reply to 41773.19 
The general idea is Simon, and only Simon, says...
driver killed while using autopilot was watching Harry Potter
+1/1
 Reply   Quote More 

Reply to All    
 

1–20

Rate my interest:

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 |  FAQ |  Docs |  Support |  Donate! ©2002 - 2024 Project Beehive Forum

Forum Stats