AWS File Gateway seems to allow setting of UID/GID NFS permissions on shares and files in the gateway. This is great, but since there is no local user base stored on the gateway itself, it seems like, once authenticated (which seems to go against the client's user store, not some File Gateway user store), the UID and GID valued seem to be populated by the client, not the server. This invalidates any kind of security as far as I can tell. Anyone that knows a UID or GID for a share could set the local computer's UID/GID accordingly and gain access to that share with whatever password they want.
What am I misunderstanding here?
What am I misunderstanding here?
Only that this has always been a limitation of NFS: the client machines are trusted.
There's a built-in assumption in NFS that users with privileged access to a client machine are trusted users, and therefore no user would have an account with a conflicting or unauthorized UID/GID.
In an environment where that isn't the case, your observation is correct... the basic NFS security model doesn't provide meaningful security if the client machines can't be trusted.