Home / server / Questions / 397743
In Process
Cerin
Asked: 2012-06-12 14:04:48 +0800 CST

How to allow writing to a mounted NFS partition

  • 772

How do you allow a specific user permission to write to an NFS partition?

I've mounted an NFS share on my localhost (a Fedora install), and I can read and write as root, but I'm unable to write as the apache user, even though all the files and directories in the share on my localhost and remote host are owned by apache.

For example, I've mounted it via this line in my /etc/fstab:

remotehost:/data/media     /data/media             nfs     _netdev,soft,intr,rw,bg        0 0

And both locations are owned by apache:

[root@remotehost ~]# ls -la /data
total 24
drwxr-xr-x.  6 root    root    4096 Jan  6  2011 .
dr-xr-xr-x. 28 root    root    4096 Oct 31  2011 ..
drwxr-xr-x   4 apache  apache  4096 Jan 14  2011 media

[root@localhost ~]# ls -la /data
total 16
drwxr-xr-x   4 apache apache 4096 Dec  7  2011 .
dr-xr-xr-x. 27 root   root   4096 Jun 11 15:51 ..
drwxrwxrwx   5 apache apache 4096 Jan 31  2011 media

However, when I try and write as the apache user, I get a "Permission denied" error.

[root@localhost ~]# sudo -u apache touch /data/media/test.txt'
touch: cannot touch `/data/media/test.txt': Permission denied

But of course it works fine as root. What am I doing wrong?

linux nfs apache-2.2 fedora

2 Answers

  1. NFS authorizes operations based on the user ID, not username. To be able to write to /data/media on NFS client you need to ensure that apache on localhost and apache on remotehost have the same numeric user IDs.

    File listings in the post do not confirm that.

    Indeed the localhost listing says that the mountpoint /data/media is owned by apache@localhost.

    [root@localhost ~]# ls -la /data
 ...
 drwxrwxrwx   5 apache apache 4096 Jan 31  2011 media

    The remote listing shows that shared resource /data/media is owned by apache@remotehost.

    [root@remotehost ~]# ls -la /data
drwxr-xr-x   4 apache  apache  4096 Jan 14  2011 media

    If numeric user IDs of apache@localhost and apache@remotehost differ the directory would not be writable.

    You can use the command ls -lna to check numerical user IDs.

    This is just a guess. There is nothing in the OP that specifically confirms that there is a disagreement in user IDs.

    • 4

    • Is the export writeable (check /etc/exports on the server)? As you'll find in exports(5):

         rw     Allow both read and write requests on this NFS volume.
          The default is to disallow any request which changes the filesystem.
          This can also be made explicit by using the ro option.

    • (Probably not relevant, but I don't know much about the existing SELinux policies) Are you using SELinux on the server? You can check with getenforce, might want to try again after setenforce 0 (undo with setenforce 1).

    • I did note that the UIDs happen to match. But I believe it's worth mentioning that to make sure users and groups are matched by names instead of IDs, you can configure the idmap service on both hosts.
    • 0