From owner-freebsd-questions@FreeBSD.ORG Wed May 12 08:56:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2344116A4CE for ; Wed, 12 May 2004 08:56:53 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09DFE43D2D for ; Wed, 12 May 2004 08:56:52 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i4CFuoLh019891; Wed, 12 May 2004 08:56:51 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i4CFuag4028067; Wed, 12 May 2004 08:56:50 -0700 (PDT) In-Reply-To: <1672830687.20040512113148@ipb.redline.ru> References: <1672830687.20040512113148@ipb.redline.ru> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Wed, 12 May 2004 11:56:35 -0400 To: "Mikhail E. Zakharov" X-Mailer: Apple Mail (2.613) cc: freebsd-questions@freebsd.org Subject: Re: NFS-bug or not ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 15:56:53 -0000 On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote: > When playing with NFS under FreeBSD, I've noticed something strange. > You know it's impossible to export 2 directories of the same file > system on the server to the 1 nfs-client: > server# cat /etc/exports > /usr/c client > /usr/d client > server# killall -HUP mountd > server# showmount -e > /usr/c Everyone > > There is no /usr/d exported. And we got errors in /var/log/messages: > mountd[377]: can't change attributes for /usr/d > mountd[377]: bad exports list line /usr/d Please refer to _Managing NFS and NIS_, O'Reilly, p92: "2. You cannot export any subdirectory of an exported filesystem unless the subdirectory is on a different physical device. 3. You cannot export any parent directory of an exported filesystem unless the parent is on a different physical device." Basicly, NFS exports work on a per-filesystem basis, although one can use symbolic links to achieve results similar to what you are trying to do by exporting different subdirectories of the same filesystem. There's a more extensive writeup about this here: http://www.pkix.net/~chuck/doc/NFS/article.html > But it's possible(!) to fool mountd when using the -network key. > Let's try to export /usr/a as read-only system for the whole network, > and /usr/b writable for one host, and not readable for other. NB! Our > NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this > example: [ ... ] > When we mounted them on client. Let's make additional tests: > client# echo "something stupid" > /mnt/test.txt > client# echo "something stupid1" > /mnt1/test1.txt > client# cat /mnt/test.txt > something stupid > client# cat /mnt1/test1.txt > something stupid1 > > Oh, my God! Both of the exported directories are writable. If you export one filesystem ro to an entire subnet, and then also export the same filesystem rw to a specific machine, the machine granted r/w permissions can write to that filesystem, yes. That's by design. If some other machine could write to the filesystem, or if you choose to export two different filesystems with different permissions, that would indicate a problem... -- -Chuck