From owner-freebsd-stable  Fri Mar 16 11:29:16 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 7796437B718
	for <freebsd-stable@FreeBSD.ORG>; Fri, 16 Mar 2001 11:29:11 -0800 (PST)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA28876;
	Fri, 16 Mar 2001 11:28:51 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda28871; Fri Mar 16 11:28:44 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f2GJSc846890;
	Fri, 16 Mar 2001 11:28:38 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdX46872; Fri Mar 16 11:28:12 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.3/8.9.1) id f2GJSBq05018;
	Fri, 16 Mar 2001 11:28:11 -0800 (PST)
Message-Id: <200103161928.f2GJSBq05018@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdUQ5003; Fri Mar 16 11:28:01 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: Matt Dillon <dillon@earth.backplane.com>
Cc: Sean Kelly <smkelly@zombie.org>, freebsd-stable@FreeBSD.ORG
Subject: Re: mountd 
In-reply-to: Your message of "Wed, 14 Mar 2001 16:33:33 PST."
             <200103150033.f2F0XXV33398@earth.backplane.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 16 Mar 2001 11:28:01 -0800
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <200103150033.f2F0XXV33398@earth.backplane.com>, Matt Dillon 
writes:
> :My NFS server has /usr on a single filesystem, yet I would like to share
> :subdirectories of /usr with different attributes.  An example would be:
> :
> :     /usr/ports	       readonly
> :     /usr/src	       readonly
> :     /usr/local/build  read/write
> :
> :The idea is that machines with very little disk space will be able to build
> :ports and source using /usr/build/<hostname> as the workdir.  As I
> :understand it, this can't be done since /usr is a single filesystem on the
> :server and must
> :a) be listed on single line in /etc/exports
> :b) have the same attributes for all exported directories
> 
> :Am I missing something?  If not, why is FreeBSD's mountd implimented this
> :way when it causes severe limitations such as the one I just came across?
> :How hard would it be to reimpliment the system?  Does anybody have any
> 
>     The limitation is not restricted to FreeBSD.  The real problem here is
>     that NFS security is based on file handle identifiers and filesystems.
>     You can export all the subdirectories in a filesystem wholely
>     read-only, or wholely read-write, but not a combination of the two
>     because the NFS server has no idea which subdirectory of that
>     filesystem an NFS client may be accessing... NFS clients access files
>     by file handle id's, NOT by path names.
> 
> :suggestions for a quickfix?  What is the answer to life, the universe, and
> :everything?
> :
> :-- 
> :Sean Kelly         | PGP KeyID: 77042C7B
> :smkelly@zombie.org | http://www.zombie.org
> 
>     No problem.  Here's what you do:  Lets say that /usr is local on all
>     your machines but you want to export /usr/ports and /usr/src from
>     your NFS server read-only.  Simply make /usr/ports/distfiles on your
>     NFS server be a softlink to /usr/ports.distfiles, which will be a local
>     directory on every machine (including the NFS server).
> 
>     Then set the WRKDIRPREFIX variable in your /etc/make.conf on the clients.
>     e.g. mkdir /var/portswork and in /etc/make.conf:
> 
>     WRKDIRPREFIX= /var/portswork
> 
>     (Note: some ports are huge so WRKDIRPREFIX needs to point to somewhere 
>     with a lot of space).
> 
>     Now you can build a port on any client using the /usr/ports exported
>     read-only from the NFS server.  If you are exporting the whole of /usr
>     read-only to the clients, then obviously you have to choose some other
>     directory to hold the distfiles by adjusting the /usr/ports/distfiles
>     softlink.  The softlink must be valid (point to some local directory
>     somewhere) on both the NFS server and all the clients.
> 
>     --
> 
>     In regards to /usr/src and /usr/obj.  What I normally do is export
>     /usr/src AND /usr/obj from the NFS server, both read-only.  I do all
>     builds on the server and then install them from the clients (i.e. I
>     never actually build the world on a client).  Same goes with kernels
>     for the clients... build on the server, install from the client.
> 
> 						-Matt

This is good.  A more generic approach would be to mount the directories you wish to export using nullfs or unionfs -r to another directory, e.g /nfs/<directory>.  Then export /nfs/<directory>.  Of course this depends on nullfs and unionfs not panicking your system.  Other than the bugs in nullfs and unionfs, assuming that the bugs will get fixed one day, does anyone see any problems or security implications with this approach?

-- 
Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC            




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message