Previously we have covered how to provide NFS shares to specific clients, here we are going to expand upon this and cover how an NFS share can be shared with members in a group for collaboration purposes.
This will be done primarily with the use of set group ID (Set GID), as using this results in all files and directories created within the group share being automatically set with the same group owner as the share itself.
Here is a list of our servers that we will be testing with, both are running CentOS 7.
- NFS Client: 192.168.0.100 – This Linux client will mount a directory from the NFS server.
- NFS Server: 192.168.0.200 – This Linux server will serve a directory over NFS.
NFS Server Configuration
Let’s start by configuring an NFS share on the NFS server.
yum install nfs-utils -y
The nfs-utils package should also be installed on the client machine, as it is required in order to mount an NFS share.
Once installed we can enable our NFS server to automatically start the required NFS service on boot, we’ll also start the service up now as it’s not running by default after installation.
systemctl enable nfs systemctl start nfs
For further information on basic service management with systemctl, see our guide here.
Next the firewall must be configured in order to correctly allow NFS traffic through, this can be done as shown with firewalld. This change will allow TCP port 2049 NFS traffic into the server from any source. The firewall configuration must also be reloaded as we have put a permanent rule in place which will not apply to the running configuration.
firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
We’ll also create the directory on the NFS server that we are going to share over NFS, in this example it’s going to be /root/nfs however this can be elsewhere.
The NFS server mount points are configured with the /etc/exports file, this file lists the directories that are available to be accessed over NFS. Alternatively configuration files can also be created within the /etc/exports.d/ directory as long as they have the .exports extension.
Below is an example NFS configuration within the /etc/exports file.
[[email protected] ~]# cat /etc/exports /root/nfs 192.168.0.100(rw,async)
After any changes to the /etc/exports file we need to use the exportfs command to update the table of exported NFS file systems.
The -a flag will export all directories, the -r flag will reexport all directories and remove any old entries, while the -v flag provides verbosity and will output all of the NFS exports.
Configure NFS Share With SetGID
Now that we have the NFS server configured with the basic NFS mount point of /root/nfs, we need to configure SetGID on this directory as shown below.
chmod 2770 /root/nfs
This has also set permissions 770 on the directory, so the root user and group defined will have full permissions. The leading 2 enables setgid.
Next we create a group called ‘testing’ and change the /root/nfs directory so that the group owner is this ‘testing’ group. We also manually specify the GID that will be used for the group as 9999, this needs to be a number that is free on both your client and server – I have run the groupadd on both client and server, and created a test user within this group.
groupadd -g 9999 testing chgrp testing /root/nfs
We can confirm that setgid is in place, as shown below where the execute bit for the group permissions show is a lower case s. This will change to an upper case S if the group does not have the execute permission and only setgid is in place.
[[email protected] ~]# ls -la drwxrws---. 2 root testing 29 Aug 30 00:25 nfs
Now any files or directories that are created within /root/nfs will be automatically given the ‘testing’ group owner, essentially allowing group collaboration as any user within the ‘testing’ group will now be able to access files created by other users within the same group in the /root/nfs directory.
Testing NFS Share Groups
Now that the NFS mount point is ready, from the client we mount the NFS share as the root user.
[[email protected] ~]# mount -t nfs 192.168.1.200:/root/nfs /mnt
Now if any user accesses the /mnt directory and creates a file or directory, it will be owned by the ‘testing’ group.
[[email protected] mnt]# touch setgid-test
[[email protected] nfs]# ls -la -rw-r--r--. 1 root testing 0 Jan 16 23:09 setgid-test
By default the ‘sec’ option for an NFS mount is ‘sys’, meaning the UID/GID numbers are mapped from the client to the NFS server. Therefore the ‘testing’ group should be created with the same group ID on both client and server for the group to be passed correctly. Alternatively if you’re using an external directory such as IPA, setting the sec method to krb5 for instance will make use of UID/GID values provided by Kerberos rather than locally.
By making use of SetGID on our directory that has been exported with NFS, we have been able to provide an NFS share that can be accessed by multiple users within the same group. The share is perfect for group collaboration as any files or directories that are created by a user within the group defined on the NFS share will automatically be owned by the same group, allowing other users within that group to access these contents as well.
The important steps that have been done here were changing the group ownership of the directory that acts as our share to the group that we want to share the contents with, and setting setgid on that same directory.
This post is part of our Red Hat Certified Engineer (RHCE) exam study guide series. For more RHCE related posts and information check out our full RHCE study guide.