From owner-freebsd-net@FreeBSD.ORG Tue Jul 29 20:35:00 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8009DF42 for ; Tue, 29 Jul 2014 20:35:00 +0000 (UTC) Received: from quine.pinyon.org (quine.pinyon.org [65.101.5.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 550BB21AD for ; Tue, 29 Jul 2014 20:34:59 +0000 (UTC) Received: by quine.pinyon.org (Postfix, from userid 122) id DEE581602CD; Tue, 29 Jul 2014 13:34:52 -0700 (MST) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on quine.pinyon.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Received: from feyerabend.n1.pinyon.org (feyerabend.n1.pinyon.org [10.0.10.6]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by quine.pinyon.org (Postfix) with ESMTPSA id 8879C1601D3 for ; Tue, 29 Jul 2014 13:34:50 -0700 (MST) Message-ID: <53D8056A.1010908@pinyon.org> Date: Tue, 29 Jul 2014 13:34:50 -0700 From: "Russell L. Carter" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages References: <53D6ACD6.2030204@pinyon.org> <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> <20140729182134.GA43962@funkthat.com> In-Reply-To: <20140729182134.GA43962@funkthat.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 20:35:00 -0000 On 07/29/14 11:21, John-Mark Gurney wrote: > Rick Macklem wrote this message on Mon, Jul 28, 2014 at 18:47 -0400: >> Russell L. Carter wrote: >>> On 07/28/14 05:55, Rick Macklem wrote: >>> >>>> Assuming /export is one file system on the server, put all >>>> the exports in a single entry, something like: >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 >>>> /export/usr/src /export/usr/obj /export/usr/ports /export/packages >>>> /export/library -maproot=root >>>> >>>> OR you can just allow the clients to mount any location >>>> within the server file system using -alldirs like: >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 >>>> /export -alldirs -maproot=root >>>> >>>> At least I think I got this correct;-) rick >>> >>> Then it would seem that that it is not possible to do per-host >>> filesystem access control from a single server. Is that true? >>> >> Yes, you can. Each line must be unique w.r.t. the tuple of >> . This seems to work, and I don't have spam in my log: V4: /export -sec=sys /export/library -maproot=root linuxen /export -maproot=root fbsden However, 'linuxen' and 'fbsden' are defined in netgroup(5): linuxen (bruno,,n1.pinyon.org) fbsden (psf,,n1.pinyon.org) (knuth,,n1.pinyon.org) but the linux host can mount /export/usr/* just fine :-(. >> When there are multiple directories within a file system that >> needs to be mounted by a given host (or subnet), those must be >> specified in a single entry. > > You know.. mountd really should grow the smarts to handle this, and > warn if the various settings for the fs don't match between lines... > > i.e. union the lines as long as they match... > > Could be a good project for someone(tm)... > vfs_export and friends are impressively densely written... Cheers, Russell