Permissions error

Hey there, trying to make a simple NFS share that I can access over the local intranet but I keep getting permission errors, everything is root. Hopefully I've given enough information below, but if you need any more just ask - would appreciate any help. Many thanks.

export folder permissions
root@openmediavault:/export/data# ls -la

total 4

drwxrwsr-x 1 root users 0 May 13 14:59 .

drwxr-xr-x 3 root root 4096 May 13 14:27 ..

/etc/exports file
# This file is auto-generated by openmediavault (https://www.openmediavault.org)

# WARNING: Do not edit this file, your changes will get lost.

# /etc/exports: the access control list for filesystems which may be exported

# to NFS clients. See exports(5).

/export/data 192.168.0.0/24(fsid=3e3f2218-deed-411a-b43e-4ed503a61c8a,rw,subtree_check,insecure,root_squash)

# NFSv4 - pseudo filesystem root

/export 192.168.0.0/24(ro,fsid=0,root_squash,no_subtree_check,hide)

Client command

mount -t nfs 192.168.0.88:/export/data/ /mnt/data/

Also tried using the -o rw option as well as mounting to a /tmp directory (not that itd make a difference) with the same results

root@DietPi:/mnt/data# ls -la

total 4

drwxrwsr-x 1 root users 0 May 13 14:59 .

drwxr-xr-x 7 root root 4096 May 13 15:26 ..

root@DietPi:/mnt/data# touch test

touch: cannot touch 'test': Permission denied

I also tried specifying the client IP 192.168.0.233 manually, as well as adding root_squash on to the options, same result.

> Doing things as root with root_squash is your problem

I haven't added root_squash to the tags, but I've noticed its on the auto-generated # NFSv4 - pseudo filesystem root - is that where the issue is?

> The remote system will need a user in a group with the same ID as users group on the nfs system.
Sure, so I'd presume it'd be okay to add the root user to the group with the same ID?

Okay, I've added the root to the users group on the remote system, that still didn't fix the issue

root@DietPi:/mnt# getent group | grep users

users:x:100:

root@DietPi:/mnt# sudo usermod -a -G users root

root@DietPi:/mnt# mount -t nfs 192.168.0.88:/export/data/ /mnt/data/

root@DietPi:/mnt# cd data

root@DietPi:/mnt/data# ls -la

total 4

drwxrwsr-x 1 root users 0 May 13 14:59 .

drwxr-xr-x 7 root root 4096 May 13 15:29 ..

root@DietPi:/mnt/data# touch test

touch: cannot touch 'test': Permission denied

> No. it is in the export/nfs share too.
I removed that part and it still gave me the exact same probem.

> No. Why are you using root? root is technically a member of every group already.
I've just got the root account set up at the moment.

I dont think its because of the root_squash, because I didnt have that by default and it was causing the same issue. I only added it because I thought that might make a difference but it didn't

Zitat von flumpyjake

, as well as adding root_squash on to the options, same result.

Update: I fixed this. I had to use the `no_root_squash` option! Thank you for your help ryecoaaron and the quick reply, keep up the great work here

Another update: Turns out this is highly vulnerable to priv esc, so maybe not. I'll do some more research into changing from the root user. https://access.redhat.com/docu…uide/s2-server-nfs-noroot

Yes it is. You can abuse SUID permissions.

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe