Date: Wed, 12 May 2004 11:56:35 -0400 From: Charles Swiger <cswiger@mac.com> To: "Mikhail E. Zakharov" <zakharov@ipb.redline.ru> Cc: freebsd-questions@freebsd.org Subject: Re: NFS-bug or not ? Message-ID: <F22E8DE0-A42C-11D8-BE16-003065ABFD92@mac.com> In-Reply-To: <1672830687.20040512113148@ipb.redline.ru> References: <1672830687.20040512113148@ipb.redline.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote: > When playing with NFS under FreeBSD, I've noticed something strange. > You know it's impossible to export 2 directories of the same file > system on the server to the 1 nfs-client: > server# cat /etc/exports > /usr/c client > /usr/d client > server# killall -HUP mountd > server# showmount -e > /usr/c Everyone > > There is no /usr/d exported. And we got errors in /var/log/messages: > mountd[377]: can't change attributes for /usr/d > mountd[377]: bad exports list line /usr/d Please refer to _Managing NFS and NIS_, O'Reilly, p92: "2. You cannot export any subdirectory of an exported filesystem unless the subdirectory is on a different physical device. 3. You cannot export any parent directory of an exported filesystem unless the parent is on a different physical device." Basicly, NFS exports work on a per-filesystem basis, although one can use symbolic links to achieve results similar to what you are trying to do by exporting different subdirectories of the same filesystem. There's a more extensive writeup about this here: http://www.pkix.net/~chuck/doc/NFS/article.html > But it's possible(!) to fool mountd when using the -network key. > Let's try to export /usr/a as read-only system for the whole network, > and /usr/b writable for one host, and not readable for other. NB! Our > NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this > example: [ ... ] > When we mounted them on client. Let's make additional tests: > client# echo "something stupid" > /mnt/test.txt > client# echo "something stupid1" > /mnt1/test1.txt > client# cat /mnt/test.txt > something stupid > client# cat /mnt1/test1.txt > something stupid1 > > Oh, my God! Both of the exported directories are writable. If you export one filesystem ro to an entire subnet, and then also export the same filesystem rw to a specific machine, the machine granted r/w permissions can write to that filesystem, yes. That's by design. If some other machine could write to the filesystem, or if you choose to export two different filesystems with different permissions, that would indicate a problem... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F22E8DE0-A42C-11D8-BE16-003065ABFD92>