Date: Sun, 29 Oct 1995 13:47:49 -0500 From: "Garrett A. Wollman" <wollman@lcs.mit.edu> To: Dmitry Khrustalev <dima@bog.msu.su> Cc: freebsd-bugs@freebsd.org, doc@freebsd.org Subject: Re: 2.0.5-RELEASE: NFS cannot export 2 dirs on 1 partition? Message-ID: <9510291847.AA26329@halloran-eldar.lcs.mit.edu> In-Reply-To: <Pine.SOL.3.91.951028174809.27049A-100000@sunny.bog.msu.su> References: <199510281408.QAA06981@dog.farm.org> <Pine.SOL.3.91.951028174809.27049A-100000@sunny.bog.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
[Sorry for the cross-post. This should go into the handbook if it hasn't already. Note Reply-To.] <<On Sat, 28 Oct 1995 17:51:41 +0300 (????), Dmitry Khrustalev <dima@bog.msu.su> said: >> can't change attributes for /usr/ports >> bad exports list line /usr/ports [machines where dir in exported to] >> >> and same for /xvar/pubhome. >> > This is intended behavior. You can have only one export per filesystem. > Check -alldirs export option, maybe it will help you. Just to expand the story a little bit... In the beginning, Sun's kernel NFS server didn't make any (host) access-control checks at all. If you give it a file handle, it will believe out of the goodness of its heart that your intentions are pure and you obtained that handle legitimately. Sun's NFS implementation relied solely on `mountd' to perform ALL of its host access-control checking. Naturally, with packet-sniffing being as common as it is, this is a really, really bad idea (and one of the reasons why people say that NFS combines all the wonderful filesystem semantics of MS-DOS with all the security of MS-DOS). In FreeBSD, by contrast, all accesses are checked /by the kernel/ against a per-mount-point host access-control list. This can raise some problems for people because there is only one such list per mount point, so it is impossible to provide different access control for different directories in the same filesystem. Rather than permit an even greater false sense of security, FreeBSD simply disallows the operation. It is theoretically possible to hang per-host access controls off of every directory or even file, but that would be an incredibly large amount of work and overhead for a miniscule gain in security. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9510291847.AA26329>