How can I get read/write access to NFS share of Synology NAS?
NFSv2/3 handles permissions solely based on UID and GID. File permissions on the server are matched against user- and group ids on client. That is why NFSv<4 is by design insecure in environments where users have root access to the client machines; UID spoofing is trivial in that case.
Note that NFSv4 offers client and user authentication via Kerberos5. If authentication with username and password is needed, it is although often much easier to resort to Samba (SMB/CIFS) instead of setting up a Kerberos, even in pure Linux environments.
To at least prevent escalation of root privileges, NFS shares are exported by default with the option root_squash
, which will map all client request coming from root (uid=0, gid=0)
to anonuid
and anongid
. This behavior can be overridden with no_root_squash
, granting root access to the export.
Here, we see another drawback. To function properly, NFS basically requires you to have the same UID/GID on all machines. The files you want to access belong to 1026
and have permissions 755. You're user on the client has uid=1000
. The GIDs don't match either, so you get world permissions only. Hence no write access.
To resolve this, you could do one of multiple things:
On the NAS, change the owner of the files to
1000
. You would maybe need to create that particular account. How this will affect other services, I cannot tell.Change the UID of your local user to
1026
.-
Since you are the only one accessing the files on the server, you can make the server pretend that all request come from the proper UID. For that, NFS has the option
all_squash
. It tells the server to map all request to the anonymous user, specified byanonuid,anongid
.Add the optionss
all_squash,anonuid=1026,anongid=100
to the export in/etc/exports
.
Be cautious though, since this will make anyone mounting the export effectively the owner of those files!
If you share your network with people and their clients whom you not trust completely not to make mischief with your files, you really should look into a method of filesharing that offers authentication. In my opinion, Samba is the easiest way to achieve that.