Access control

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to control access to Filestore instances.

Filestore doesn't support Kerberos for securing access to Filestore instances. You can use the Linux options to control NFS access and Identity and Access Management (IAM) to control access to instance operations, such as creating, editing, viewing, and deleting instances.

File share export settings

A Filestore file share is assigned the following default /etc/exports settings:

  • The client list, which identifies the clients allowed to connect to the file share, is composed of all internal IP addresses in the VPC network you selected for the Filestore instance. Internal IP addresses can be any range listed in Subnet ranges. However, if you have clients on non-RFC 1918 subnet ranges, you must explicitly grant them access to the Filestore instance using IP-based access control.
  • The rw option is used, so the file share is read-write.
  • The user ID mapping option no_root_squash is used, so all users and groups, including the root user, are expected to be the same on both the Filestore instance and the client.
  • All other options use the /etc/exports defaults.

IP-based access control

You can change these export settings by creating access control rules using the Google Cloud console or by specifying a json configuration file during instance creation using the gcloud CLI. For details, see Configuring IP-based access control.

You can also add new access control rules or modify existing ones after an instance is created. For details, see Editing instances.

File share permissions

When you create a Filestore instance, the file share for that instance has default POSIX file permissions of rwxr-xr-x. These permissions mean that on a Filestore instance, only root users on connected clients have read/write access to the file share. Other users have only read access by default. Client root users can change permissions and owners.

Configuring access on a file share

When mounting a file share, you can use mount options and /etc/fstab settings to determine whether the file share is writable and if files can be executed on it. After mounting the file share, you can use standard Linux commands like chmod, and setfacl to set file and file share permissions. Only Basic tiers support setfacl.

Setting consistent permissions

We strongly recommend that you set consistent permissions for each user on all clients that connect to the same Filestore instance to prevent privilege escalation. If a file share is mounted on more than one client and a user has root privileges on one client but not the others, then the following privilege escalation scenario is possible:

  • A user sets the setuid attribute on an executable file from the client where the user has root access.
  • The user then uploads the executable file to the file share.
  • The user executes the uploaded file as root on any client where the user has at least read permission.

This scenario is possible because the setuid bit allows the user to execute a file using the permissions of the file owner, which in this case is root.