When sharing directories between Linux servers via NFS, you might encounter permission issues similar to what we typically solve in Samba using force user, create mask, and directory mask parameters. The core problem arises when:
- Files created on the NFS mount have incorrect ownership
- Apache or other services can't access the files
- Collaborative editing becomes problematic due to restrictive permissions
Unlike Samba, NFS doesn't have direct equivalents to Samba's permission-forcing parameters. However, we can achieve similar results through these NFS-specific methods:
On your NFS server (fileserver in your case), modify your /etc/exports file with these options:
/data/www-data 192.168.1.100(rw,sync,no_subtree_check,all_squash,anonuid=33,anongid=33)
Key parameters:
all_squash: Maps all client users to anonymousanonuid/anongid: Specifies the UID/GID to use (33 is typically www-data)
On your client server (apache), ensure proper mount options in /etc/fstab:
fileserver:/data/www-data /var/www nfs rw,hard,intr,noexec,nosuid,nodev 0 0
For more granular control, consider these approaches:
1. Using setfacl for Advanced Permissions
# Set default ACLs on the shared directory
setfacl -Rdm g:www-data:rwx /data/www-data
setfacl -Rm g:www-data:rwx /data/www-data
2. Filesystem Change Monitoring with inotify
Create a script to watch for new files and adjust permissions:
#!/bin/bash
inotifywait -m -r -e create -e move_to /var/www | while read path action file; do
chown www-data:www-data "$path$file"
chmod 664 "$path$file"
done
If NFS proves too inflexible, consider this workaround:
# On the client server
mkdir /var/www-tmp
mount --bind /var/www /var/www-tmp
mount -o remount,uid=33,gid=33 /var/www-tmp
While NFS doesn't offer direct equivalents to Samba's permission controls, combining server-side exports configuration with client-side solutions can achieve similar results. The best approach depends on your specific security requirements and workflow needs.
When working with NFS shares between Linux servers, you might encounter permission issues that don't exist with Samba. Specifically, files created via NFS mounts often inherit the client's user/group permissions rather than adopting the server's desired permissions.
In Samba, we can easily control permissions using:
[share]
path = /data/www-data
force user = www-data
force group = www-data
create mask = 0664
directory mask = 0775
NFS lacks these direct controls, but we can achieve similar results through alternative methods.
On your NFS server (fileserver in your case), modify /etc/exports to include these options:
/data/www-data apache(rw,sync,all_squash,anonuid=33,anongid=33)
Where:
- all_squash: Maps all users to anonymous
- anonuid/anongid: Sets the UID/GID for anonymous users (33 is typically www-data)
On your client (apache server), ensure your mount includes these options in /etc/fstab:
fileserver:/data/www-data /var/www nfs rw,hard,intr,noexec,nosuid,nodev 0 0
For more granular control, consider using filesystem ACLs:
# Set default ACLs for new files
setfacl -Rdm u:www-data:rwx,g:www-data:rwx,o:rx /data/www-data
# Apply to existing files
setfacl -Rm u:www-data:rwx,g:www-data:rwx,o:rx /data/www-data
Create a simple cron job to periodically fix permissions:
#!/bin/bash
find /var/www -type d -exec chmod 775 {} \;
find /var/www -type f -exec chmod 664 {} \;
chown -R www-data:www-data /var/www
After making changes, test with:
# On server
exportfs -rav
# On client
mount -o remount /var/www
touch /var/www/testfile
ls -la /var/www/testfile