Otdfbt

What does a yield inside a yield do?

Is one octave above tonic also considered as tonic?

FindInstance and cosine system of equations

Theorem won't go to multiple lines and is causing text to run off the page

If prion is a protein. Why is it not disassembled by the digestive system?

How to reply this mail from potential PhD professor?

SQL Server Management Studio SSMS 18.0 General Availability release (GA) install fails

Why is C# in the D Major Scale?

Unknowingly ran an infinite loop in terminal

Why do money exchangers give different rates to different bills?

Is induction neccessary for proving that every injective mapping of a finite set into itself is a mapping onto itself?

In Endgame, why were these characters still around?

What is the unit of the area when geometry attributes are calculated in QGIS?

What was the state of the German rail system in 1944?

What is a "listed natural gas appliance"?

Enumerate Derangements

Is Cola "probably the best-known" Latin word in the world? If not, which might it be?

A non-technological, repeating, phenomenon in the sky, holding its position in the sky for hours

Pressure inside an infinite ocean?

Should I replace my bicycle tires if they have not been inflated in multiple years

What are the differences between credential stuffing and password spraying?

Moving the subject of the sentence into a dangling participle

LightGBM results differently depending on the order of the data

Point of the the Dothraki's attack in GoT S8E3?

Grant users 'read only' access to NFS share without affecting current permissions

Need help with file permissions on Ubuntu so that NFS clients can read/write?What permissions should my website files/folders have on a Linux webserver?Ubuntu NFS Client connecting to Windows 2008 R2 NFS share - permissions issueWindow 2008 inherit permissions from parent on file created on linux nfs share connected to WindowsRead only permissions still allows to saveAllow guest read/write access to Netatalk AFP shareShare Permissions: Why can a group access a share, but not members of that group (Windows Server Environment)?Forcing/inheriting permissions on NFS sharenfs mount a rw nexenta share for all users on linux client — failingWindows NFS file share mounted on ubuntu is read only

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I have a Linux (Ubuntu 16.04) server that roughly 30 users login to with shell access. There are different groups setup which manages their access to folders within /opt/working/shared/.

/opt/working/shared is backed up daily to /opt/backup/working/shared, an NFS mounted share from a NAS. These get backed up with the same permissions as the original files, yet the users don't get access to /opt/backup. This keeps users from browsing the share, but allows restoring with the original permissions.

I've been asked to provide these users read-only access to the backup area. I'm wondering what the best way to approach this might be?

If I allow them access to /opt/backup as it stands, they will have write access to any file they have write access to in /opt/working/shared, but removing write access to these files will overwrite the original permissions and adding complexity to a restore.

Is there a nice way to perhaps provide read-only access to the backup directories for non sudo'd users, whilst still adhering to original group permissions? This would keep the original permission structure and not allow users to see other peoples files, yet stop users from overwriting their own backups. I feel there's a better way to manage this rather than amending the permissions but I may be wrong.

linux nfs file-permissions

share|improve this question

asked Apr 23 at 9:19

jblzjblz

13519

add a comment | 

0

I have a Linux (Ubuntu 16.04) server that roughly 30 users login to with shell access. There are different groups setup which manages their access to folders within /opt/working/shared/.

/opt/working/shared is backed up daily to /opt/backup/working/shared, an NFS mounted share from a NAS. These get backed up with the same permissions as the original files, yet the users don't get access to /opt/backup. This keeps users from browsing the share, but allows restoring with the original permissions.

I've been asked to provide these users read-only access to the backup area. I'm wondering what the best way to approach this might be?

If I allow them access to /opt/backup as it stands, they will have write access to any file they have write access to in /opt/working/shared, but removing write access to these files will overwrite the original permissions and adding complexity to a restore.

Is there a nice way to perhaps provide read-only access to the backup directories for non sudo'd users, whilst still adhering to original group permissions? This would keep the original permission structure and not allow users to see other peoples files, yet stop users from overwriting their own backups. I feel there's a better way to manage this rather than amending the permissions but I may be wrong.

linux nfs file-permissions

share|improve this question

asked Apr 23 at 9:19

jblzjblz

13519

add a comment | 

I have a Linux (Ubuntu 16.04) server that roughly 30 users login to with shell access. There are different groups setup which manages their access to folders within /opt/working/shared/.

/opt/working/shared is backed up daily to /opt/backup/working/shared, an NFS mounted share from a NAS. These get backed up with the same permissions as the original files, yet the users don't get access to /opt/backup. This keeps users from browsing the share, but allows restoring with the original permissions.

I've been asked to provide these users read-only access to the backup area. I'm wondering what the best way to approach this might be?

If I allow them access to /opt/backup as it stands, they will have write access to any file they have write access to in /opt/working/shared, but removing write access to these files will overwrite the original permissions and adding complexity to a restore.

Is there a nice way to perhaps provide read-only access to the backup directories for non sudo'd users, whilst still adhering to original group permissions? This would keep the original permission structure and not allow users to see other peoples files, yet stop users from overwriting their own backups. I feel there's a better way to manage this rather than amending the permissions but I may be wrong.

linux nfs file-permissions

share|improve this question

asked Apr 23 at 9:19

jblzjblz

13519

share|improve this question

asked Apr 23 at 9:19

jblzjblz

13519

share|improve this question

asked Apr 23 at 9:19

jblzjblz

13519

asked Apr 23 at 9:19

jblzjblz

13519

asked Apr 23 at 9:19

jblzjblz

13519

1 Answer
1

active

oldest

votes

2

A minimal and trivial solution would be to mount the same NFS share a second time:

• with the "ro" mount option to force read-only operations


• on a location that your users can access

That way you don't have to change anything in how your existing backups are made, no complicated tricks with permissions etc.

share|improve this answer

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's actually a fantastic idea! I'll leave this question up a bit longer for other potential suggestions but I think that's exactly what I want to do.
  
  – jblz
  Apr 23 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  An alternative can be a read-only bind mount. Effectively the same effect as HBruijn suggested, but without second NFS export entry and mount.
  
  – kofemann
  Apr 26 at 20:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately HBruijn's approach poses an issue. When I create /opt/backup_ro, set 777 perms to test then mount, mounting overwrites the permissions of backup_ro disallowing user access. I'm then unable to adjust the permissions as root /opt/backup_ro due to it being a 'Read only filesystem'. Is there a way round this? Perhaps only allowing root user to have rw? I've spent the past 45 minutes googling this but can't seem to find out what to do.
  
  – jblz
  yesterday
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964176%2fgrant-users-read-only-access-to-nfs-share-without-affecting-current-permission%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

2

A minimal and trivial solution would be to mount the same NFS share a second time:

• with the "ro" mount option to force read-only operations


• on a location that your users can access

That way you don't have to change anything in how your existing backups are made, no complicated tricks with permissions etc.

share|improve this answer

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's actually a fantastic idea! I'll leave this question up a bit longer for other potential suggestions but I think that's exactly what I want to do.
  
  – jblz
  Apr 23 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  An alternative can be a read-only bind mount. Effectively the same effect as HBruijn suggested, but without second NFS export entry and mount.
  
  – kofemann
  Apr 26 at 20:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately HBruijn's approach poses an issue. When I create /opt/backup_ro, set 777 perms to test then mount, mounting overwrites the permissions of backup_ro disallowing user access. I'm then unable to adjust the permissions as root /opt/backup_ro due to it being a 'Read only filesystem'. Is there a way round this? Perhaps only allowing root user to have rw? I've spent the past 45 minutes googling this but can't seem to find out what to do.
  
  – jblz
  yesterday
  
  

  
  
  
  

add a comment | 

2

A minimal and trivial solution would be to mount the same NFS share a second time:

• with the "ro" mount option to force read-only operations


• on a location that your users can access

That way you don't have to change anything in how your existing backups are made, no complicated tricks with permissions etc.

share|improve this answer

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks, that's actually a fantastic idea! I'll leave this question up a bit longer for other potential suggestions but I think that's exactly what I want to do.
  
  – jblz
  Apr 23 at 12:45
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  An alternative can be a read-only bind mount. Effectively the same effect as HBruijn suggested, but without second NFS export entry and mount.
  
  – kofemann
  Apr 26 at 20:30
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unfortunately HBruijn's approach poses an issue. When I create /opt/backup_ro, set 777 perms to test then mount, mounting overwrites the permissions of backup_ro disallowing user access. I'm then unable to adjust the permissions as root /opt/backup_ro due to it being a 'Read only filesystem'. Is there a way round this? Perhaps only allowing root user to have rw? I've spent the past 45 minutes googling this but can't seem to find out what to do.
  
  – jblz
  yesterday
  
  

  
  
  
  

add a comment | 

A minimal and trivial solution would be to mount the same NFS share a second time:

• with the "ro" mount option to force read-only operations


• on a location that your users can access

That way you don't have to change anything in how your existing backups are made, no complicated tricks with permissions etc.

share|improve this answer

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

share|improve this answer

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152

answered Apr 23 at 12:43

HBruijnHBruijn

57.3k1190152