Rediģēt

Kopīgot, izmantojot


Configure root squash for Azure Files

Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Root squash is an administrative security feature in NFS that prevents unauthorized root-level access to the NFS server by client machines. This functionality is an important part of protecting user data and system settings from manipulation by untrusted or compromised clients.

Administrators should enable root squash in environments where multiple users or systems access the NFS share, especially in scenarios where client machines aren't fully trusted. By converting root users to anonymous users, root squash ensures that even if a client machine is compromised, the attacker can't exploit root privileges to access or modify critical files on the NFS server.

In this article, you learn how to configure and change root squash settings for NFS Azure file shares.

Applies to

File share type SMB NFS
Standard file shares (GPv2), LRS/ZRS No, this article doesn't apply to standard SMB Azure file shares LRS/ZRS. NFS shares are only available in premium Azure file shares.
Standard file shares (GPv2), GRS/GZRS No, this article doesn't apply to standard SMB Azure file shares GRS/GZRS. NFS is only available in premium Azure file shares.
Premium file shares (FileStorage), LRS/ZRS No, this article doesn't apply to premium SMB Azure file shares. Yes, this article applies to premium NFS Azure file shares.

How root squash works with Azure Files

Root squash works by re-mapping the user ID (UID) and the group ID (GID) of the root user to a UID and GID belonging to the anonymous user on server. Root users accessing the file system are automatically converted to the anonymous, less-privileged user/group with limited permissions.

Although root squash is the default behavior in NFS, it's not the default option when creating an NFS Azure file share. You must explicitly enable root squash on the file share. You can do this when you create an NFS Azure file share, or later on.

Root squash settings

You can choose from three root squash settings:

  • No root squash: Turn off root squashing. This option is mainly useful for diskless clients or workloads as specified by workload documentation. This is the default setting when creating a new NFS Azure file share.
  • All squash: Map all UIDs and GIDs to the anonymous user. Useful for shares that require read-only access by all clients.
  • Root squash: Map requests from UID/GID 0 (root) to the anonymous UID/GID. This doesn't apply to any other UIDs or GIDs that might be equally sensitive, such as user bin or group staff.

The following table highlights the UID behavior observed from the server when specific root squash options are configured.

Option Client UID Server UID
root_squash 0 65534
root_squash 1000 1000
no_root_squash 0 0
no_root_squash 1000 1000
all_squash 0 65534
all_squash 1000 65534

Configure root squash on an existing NFS file share

You can configure root squash settings via the Azure portal, Azure PowerShell, or Azure CLI.

  1. Sign in to the Azure portal and navigate to the FileStorage storage account containing the NFS Azure file share.

  2. In the service menu, under Data storage, select File shares.

  3. Select the file share for which you want to modify the root squash setting.

  4. In the service menu, select Properties. Then toggle the Root squash setting as desired.

    Screenshot showing how to configure root squash settings for an NFS file share in the Azure portal.

  5. Select Save to update the root squash value.

See also