Date: Sat, 16 Apr 2016 13:59:35 +1000 (EST) From: Bruce Evans <brde@optusnet.com.au> To: Raimundo Santos <raitech@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: Why anyone can read and write to a nobody NFS mounted volume? Message-ID: <20160416100811.Y905@besplex.bde.org> In-Reply-To: <CAGQ6iC9eOUke4nL7Tktcq0=gj6VOXULEq_ruSys859od%2Bd1tTw@mail.gmail.com> References: <CAGQ6iC9eOUke4nL7Tktcq0=gj6VOXULEq_ruSys859od%2Bd1tTw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 15 Apr 2016, Raimundo Santos wrote: > i have a strange situation: everyone and not just root can read and write > to a NFS mount point whose owner is nobody:nobody. > > Is this an expected behaviour? > > FreeBSD 10.2 RELEASE as NFS client. > Seagate NAS400 as NFS server. This is, unfortunately, expected. The defaults for nobody used to be 32767:9999. This was broken in FreeBSD in 1995 by changing them to 65534:65534. This conflicts with the best defaults for maproot and mapall on nfs servers. nfs servers should default to mapping to ids below 65535, so that the defaults work on clients with 16-bit ids. 65534 is a good choice, unless you want to support clients with 8-bit ids, when 254 is a good choice. Your server apparently uses good defaults, giving the expected conflict with the misconfigured client. This bug is normally not noticed, since FreeBSD servers are misconfigured by default to the mappings -2:-2. -2 is an invalid id. It last worked in FreeBSD-1. Then 3 or 4 layers of magic turned this into the good value of 65534. The magic included ids being 16 bits. It would have worked right to reduce 65534 to 254 if ids had been reduced to 8 bits, but it worked wrong to increase 65534 to 4294967294 when ids were increased to 32 bits. 4294967294 not only breaks 16-bi clients; it is too hard to remember or type, and is misparsed by the parser in mountd. The misconfigurations compensate for each other. See exports(5) for less details. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160416100811.Y905>