NFS: no_root_squash vs root_squash

2 min read | by Jordi Prats

NFS (Network File System) protocol allows users to share files and directories over a network. When exporting a directory over NFS, there are two options that can be specified to control the behavior of root users: no_root_squash and root_squash.

no_root_squash

The no_root_squash option allows root users on the client side to create files with root privileges on the server side: This means that root users can perform any actions, such as reading, writing, or executing files, with the same permissions as on the local file system.

root_squash

On the other hand, the root_squash option maps the root user on the client side to an anonymous user on the server side. If we don't really trust the clients mounting the filesystem it will help prevent privilege escalations on the NFS server.

Which one to use

In general, the root_squash option is recommended choice for most of the cases since it provides a higher level of security. However, in some cases, the no_root_squash option may be necessary (and make sense) when the system administrator is the same in both boxes. But bear in mind that you are granting root privileges over the network.

If you're having a hard time in differentiating them, just think that root_squash is squashing the power of the remote root user.

Posted on 08/02/2023