From owner-freebsd-net@FreeBSD.ORG  Mon Jul 28 20:04:43 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 18C057F1
 for <freebsd-net@freebsd.org>; Mon, 28 Jul 2014 20:04:43 +0000 (UTC)
Received: from quine.pinyon.org (quine.pinyon.org [65.101.5.249])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E4E062B08
 for <freebsd-net@freebsd.org>; Mon, 28 Jul 2014 20:04:42 +0000 (UTC)
Received: by quine.pinyon.org (Postfix, from userid 122)
 id 25C53160364; Mon, 28 Jul 2014 13:04:41 -0700 (MST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on quine.pinyon.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.0
Received: from feyerabend.n1.pinyon.org (feyerabend.n1.pinyon.org [10.0.10.6])
 (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by quine.pinyon.org (Postfix) with ESMTPSA id BD2E2160178
 for <freebsd-net@freebsd.org>; Mon, 28 Jul 2014 13:04:38 -0700 (MST)
Message-ID: <53D6ACD6.2030204@pinyon.org>
Date: Mon, 28 Jul 2014 13:04:38 -0700
From: "Russell L. Carter" <rcarter@pinyon.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Re: nfsd spam in /var/log/messages
References: <43564051.4211288.1406552134888.JavaMail.root@uoguelph.ca>
In-Reply-To: <43564051.4211288.1406552134888.JavaMail.root@uoguelph.ca>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 20:04:43 -0000



On 07/28/14 05:55, Rick Macklem wrote:

> Assuming /export is one file system on the server, put all
> the exports in a single entry, something like: 
> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0
> /export/usr/src /export/usr/obj /export/usr/ports /export/packages /export/library -maproot=root
> 
> OR you can just allow the clients to mount any location
>    within the server file system using -alldirs like:
> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0
> /export -alldirs -maproot=root
> 
> At least I think I got this correct;-) rick

Then it would seem that that it is not possible to do per-host
filesystem access control from a single server.  Is that true?

The larger project I am working on intermittently is to see if I can
work out a way to secure NFSv4 so that the net transport is encrypted
(via ssh|spiped tunnel, perhaps) and the server has per host (per user
would be better) filesystem access control, WITHOUT kerberos.  Maybe
ACLs?  I have looked into ACLs but they don't look very promising for
multiple platform support.

Thanks,
Russell