NFS Share with root for anonuid / anongid

Solution 1:

If you want any user on 10.0.5.10 to appear as root you want to do this:

/STORAGE 10.0.5.10(rw,sync,no_subtree_check,all_squash,anonuid=0,anongid=0)

all_squash tells NFS that for any user connecting from 10.0.5.10, ignore their actual UID/GID and instead treat them as if UID=anonuid and GID=anongid. Since you set anonuid=0,anongid=0 that gives all users on 10.0.5.10 root access privileges on /STORAGE, effectively bypassing all security on /STORAGE and leaving it wide open to abuse from anyone appearing to come from the 10.0.5.10 IP address.

FWIW, this is a terrible idea from a security point of view.

If you can use NFSv4 on the server, you can enable UID/GID mapping and add a static map to /etc/idmapd.conf on the server, telling it that a specific user on 10.0.5.10 should be given root access on the NFSv4 server. man idmapd.conf for details on setting up the config file. Once the config file is set up on the NFSv4 server, update your export:

/STORAGE 10.0.5.10(rw,sync,no_subtree_check,no_root_squash)

Then you just want to enable mapping, clear the idmap cache, and restart the map service:

echo N > /sys/module/nfs/parameters/nfs4_disable_idmapping
nfsidmap -c
service rpcidmapd restart

If you do that, you're only giving one user root access, not all users.

Solution 2:

First of all, you should upgrade to NFS4, as things behave slightly different on each version.

Instead of no_root_squash you will need to use root_squash or all_squash - this is the only relevant parameter regarding this question.

all_squash makes any client connected to that share to use the ID given in the anonuid/anongid parameters.