NFS4 Idmap Question
HTTPD on some of my CentOS5 systems is configured to run as user “nobody”. Also, it needs access to some exported file systems. CentOS5 uses NFS3 so I
changed the ownership of the files on the storage server to “nobody” to give httpd full permissions.
Now I want to rebuild these systems with CentOS6 and httpd running as user
“apache”. The problem is how to give access to the NFS exports to these new servers while the old ones are still using the same exports.
CentOS6 uses NFS4 so I was thinking to use idmap and statically map user
“nobody” to local user “apache” but I can’t seem to get it working.
I wonder is it even possible considering that user “nobody” is a system type user?
Any better ideas what I can do to give user nobody on CentOS5 and user apache on CentOS6 full access to the same NFS exported directories locally owned by user nobody?
Thank you,
— Peter
3 thoughts on - NFS4 Idmap Question
I’m sorry, small correction.
Peter Wood wrote:
uses NFS3
“nobody” to these
Sure: make it group apache, and group readable (and writeable, where necessary).
Oh, and make sure you setsebook httpd_use_nfs=on, to shut up selinux.
mark
Thanks for the tip for setsebool.
I was hoping to avoid using the group for sharing files in this particular case but seems that there is no other way.
To make this work I have to change default httpd umask to 0002 (default
0022) on the old and the new servers.
Also we have some processes that use sudo to create files in the NFS shared directories that need to be writable by httpd so I have to enforce sudo umask of 0002 (default is the united user’s umask and the sudo umask of
0022). And this change will effect all sudo commands not just the ones that save files in the shared nfs directories.
— Peter