From owner-freebsd-questions Thu Sep 14 0:57: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 686F737B424 for ; Thu, 14 Sep 2000 00:57:03 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 14 Sep 2000 00:55:55 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8E7usa84823; Thu, 14 Sep 2000 00:56:54 -0700 (PDT) (envelope-from cjc) Date: Thu, 14 Sep 2000 00:56:54 -0700 From: "Crist J . Clark" To: Paul Jansen Cc: questions@FreeBSD.ORG Subject: Re: freebsd NFS export limitation? Message-ID: <20000914005654.V69158@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000914041741.2326.qmail@web5103.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000914041741.2326.qmail@web5103.mail.yahoo.com>; from vlaero@yahoo.com.au on Thu, Sep 14, 2000 at 03:17:41PM +1100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 14, 2000 at 03:17:41PM +1100, Paul Jansen wrote: > Hi, > > I was just reading through > http://www.netbsd.org/Documentation/network/netboot/nfs.html > > It's a diskless netbsd howto. I was looking at this > because there doesn't seem to be a decnt, up-to-date > diskless freebsd how with step by step instructions. > Anyway, I came across this bit: > > "FreeBSD > FreeBSD doesn't support exporting individual > directories. You need to know the mountpoint of the > filesystem you will be exporting. This also means that > the client will have root read/write priveleges on > that whole filesystem. For example, if you only have > one filesystem (i.e. /), then you need to export > everything to the client. " > > Is this true under freeBSD 4.1R? If so it's a bit of > a limitation isn't it? It's never been true in any FreeBSD version I have ever used (all since 2.2.7). You have always been able to allow directories to be mounted. There are restrictions on how it is all done, but it's mostly an issue of getting your /etc/exports set up right. However, it may be true that once an directory from a filesystem is exported, the whole filesystem may be exposed. That is, you cannot mount the filesystem through the usual mount command, but you might be able to craft special NFS requests to access other parts of the filesystem. But I also believe this is not a problem unique to FreeBSD's NFS. I think it's a fundamental NFS weakness. (That's just from some hazy memories. Most NFS exploits do not require that kind of skill level. It's a "barring the windows and leaving the front door unlocked" analogy if you try to fix that issue.) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message