[ale] root_squash on backup server

John Heim john at johnheim.net
Tue Oct 1 17:38:27 EDT 2013


My department got some space on a file server at another department. I 
can access it via an NFS mount. BBut I guess the root_squash option is 
set for the share because all the files I create are owned by 
nobody:root and I can't change the ownership. I want to use this space 
for amanda virtual tapes. Amanda doesn't want to run as user root.

So I'm thinking of asking the other department to turn off root_squash 
(set no_root_squash option for the share). But I don't want to look like 
a dope so I want to make sure I'm right about one thing ... It doesn't 
make my data any less secure, right? Here's my reasoning:

I can create files only as nobody:root anyway. The share is restricted 
by IP to just one machine. But if somebody gets past that (by spoofing 
the IP address or whatever) and mounts the share, they'd have the same 
access as I do when I'm using the share legitimately. That is true 
regardless of whether the root_squash or no_root_squash option is set.

If there were other users besides root creating files on the share it 
would be different. You don't want  john getting access to mary's files 
by just becoming root on his own machine. John could plug his laptop 
into the network, su to root, mount mary's home directory, and read her 
files. The root_squash option prevents that but it doesn't apply in the 
case of a backup server, right? If somebody gets past the IP 
restriction, they'd ahve the same access regardless of whether  whether 
root is squashed. (I think.)



I think I'm going to have to figure out how to encrypt  data written to 
a amanda virtual tape. But that's a question for the amanda list.



More information about the Ale mailing list