Date: Tue, 29 Jul 2014 14:59:35 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: Rick Macklem <rmacklem@uoguelph.ca>, freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages Message-ID: <53D81947.2060801@pinyon.org> In-Reply-To: <1188535120.4997158.1406666900373.JavaMail.root@uoguelph.ca> References: <1188535120.4997158.1406666900373.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/29/14 13:48, Rick Macklem wrote: > Russell L. Carter: > > The "directories within a file system" exports are only enforced by > the Mount protocol that NFSv3 uses to talk to mountd. (NFSv4 does not > use the Mount protocol.) These are considered "administrative controls", > which is a nice way of saying "they aren't actually enforced by the kernel > because there is no easy way to do so, but will discourage trivial attempts > to do NFSv3 mounts". > > Personally, I've never liked these "administrative controls", but others > feel they are useful (introduced long long ago by SunOS) and getting rid > of them would be considered a POLA violation. (This was one of the reasons > why nfse was never adopted as a replacement for mountd.) > > Various people have tried to clarify this in "man exports". Any patches > that improve this will be appreciated. (It just seems to be a difficult > thing to explain.) I performed two more experiments with more than one "V4:" line in exports(5) (all zfs sharenfs=on filesystems): V4: /export/usr V4: /export/library and V4: /export V4: /export2 but mountd complains e.g.: "different V4 dirpath /export/usr" (Note that the So to tighten up just slightly the situation as you have described it: "There can only be one NFSv4 root filesystem per server, and any client host granted NFSv4 access to any subdirectory of that root exported filesystem can also mount any other subdirectory of the root exported filesystem." Why not just say this in exports(5)? As I originally observed, another way of saying this is that for -sec=sys, no per-host (or per-network) access control for the subdirectories of the single NFSv4 exported filesystem is possible. I don't actually think very much is problematical about this situation, because w/o krb5 the protocol is insecure (IMHO). I was just very curious what the current state of play was, *exactly*. Anyway, thanks for your patience explaining this stuff to me. Ok, I think that I can stop gnawing on this bone now... Best, Russell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53D81947.2060801>