How to Mount NFS Share as Non-Root User Without Using fstab


2 views

When working with NFS shares in Linux environments, you'll frequently encounter permission restrictions. The error message mount: only root can do that is a common pain point for developers trying to mount network shares without root privileges.

The Linux kernel enforces these restrictions because mount operations affect system-wide resources. Your current approach:

mount -o v3 192.168.30.26:/root/backup /usr/backup/

fails because mount operations require CAP_SYS_ADMIN capabilities by default.

Here are three effective approaches:

1. Using sudo with User Mapping

Configure the NFS server with proper user mapping:

# /etc/exports modification
/root/backup 192.168.30.26(rw,sync,insecure,all_squash,anonuid=1000,anongid=1000,no_subtree_check)

Then mount using sudo:

sudo mount -t nfs -o vers=3,uid=$(id -u),gid=$(id -g) 192.168.30.26:/root/backup /usr/backup/

2. Leveraging autofs for Dynamic Mounts

Configure automount:

# /etc/auto.master
/- /etc/auto.nfs --timeout=60

# /etc/auto.nfs
/usr/backup -fstype=nfs,rw,soft,intr,vers=3 192.168.30.26:/root/backup

3. User Namespace Mounting (Experimental)

For newer kernels (4.4+):

unshare -rm --propagation slave bash
mount -t nfs -o vers=3 192.168.30.26:/root/backup /usr/backup/

When using these methods:

  • Always prefer NFSv4 for better security
  • Limit exports to specific IP ranges
  • Consider using kerberos for authentication
  • Regularly audit mounted shares

If you encounter problems:

# Check exports
showmount -e 192.168.30.26

# Verify permissions
namei -l /usr/backup

# Debug mount
mount -v -t nfs -o vers=3 192.168.30.26:/root/backup /mnt/test

When attempting to mount an NFS share as a regular user, you'll encounter the classic Linux permission barrier:

mount -o v3 192.168.30.26:/root/backup /usr/backup/
mount: only root can do that

The fundamental issue lies in how Linux handles filesystem operations. The mount syscall requires CAP_SYS_ADMIN capabilities, which regular users don't possess by default. Your current /etc/exports configuration:

/root/backup 192.168.30.26(rw,sync,insecure,all_squash,no_subtree_check)

contains several important flags that actually make this possible for non-root users.

Here are three approaches to achieve NFS mounting as a regular user:

1. Using user_namespaces (Most Secure)

unshare -rm -- sh -c "mount -o v3 192.168.30.26:/root/backup /usr/backup/ && exec su $USER"

This creates a temporary namespace with elevated privileges just for the mount operation.

2. sudo with NOPASSWD (For Scripting)

echo "$USER ALL=(ALL) NOPASSWD: /bin/mount -o v3 192.168.30.26:/root/backup /usr/backup/" | sudo tee /etc/sudoers.d/nfsmount
sudo mount -o v3 192.168.30.26:/root/backup /usr/backup/

3. Cgroup-based Solution (Systemd Systems)

systemd-run --user --scope -p "Delegate=yes" -- mount -o v3 192.168.30.26:/root/backup /usr/backup/

After successful mount, test with:

mount | grep backup
df -h | grep backup
touch /usr/backup/testfile && echo "Success" || echo "Failed"

If you encounter problems:

  • exportfs -ra to reload NFS exports
  • Check rpcinfo -p 192.168.30.26 for NFS service availability
  • Verify client firewall: sudo ufw allow from 192.168.30.26 to any port nfs