From nobody Wed Mar 16 15:19:25 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 275B01A24DDE for ; Wed, 16 Mar 2022 15:19:26 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJYpj4zDjz3k0n for ; Wed, 16 Mar 2022 15:19:25 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 22GFJPSq043236 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 16 Mar 2022 11:19:25 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:948b:6202:8ab:78a0] ([IPv6:2607:f3e0:0:4:948b:6202:8ab:78a0]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 22GFJPC8083748 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 16 Mar 2022 11:19:25 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4252a479-3caf-df88-2c8a-c5dc88616bd5@sentex.net> Date: Wed, 16 Mar 2022 11:19:25 -0400 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: nfsv4 export and foot shooting Content-Language: en-US From: mike tancsa To: FreeBSD Questions References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4KJYpj4zDjz3k0n X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.39 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.995]; MLMMJ_DEST(0.00)[freebsd-questions]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[199.212.134.19:received] X-ThisMailContainsUnwantedMimeParts: N OK, I *think* I see what might be going on and not sure if more documentation is needed in the man page to flag this or this is very much the way its supposed to work. My UFS server in the example below, has just one file system mounted. So in this case, /dev/gpt/rootfs   /       ufs rw      1       1 On another server, which is ZFS based, I can have an exports file that is "safe" as so V4: / /nano-images   -network 192.168.0.0/24 /usr/src   -ro -network 192.168.0.0/24 This is safe as each of those export lines are mount points on their own So if I have an exports file consisting of V4: / /nano-images   -network 192.168.0.0/24 /usr/src   -ro -network 192.168.0.0/24 things work as expected from a client POV.  The client in 192.168.0.0/24 can mount /usr src and nano-images, but NOT mount / and see data. but if I add /usr/obj -ro   -network 192.168.0.0/24 which is just a subdirectory of /, a client in /usr/obj is able to mount / with nfsv4 My guess its supposed to work this way, but is there a way to prevent it from working that way ?     ---Mike On 3/16/2022 10:37 AM, mike tancsa wrote: > I am trying to get my head around the nfsv4 way of thinking about the > exports format and cant quite see how the best way to do it is.  I > have a build server where I build world and packages daily. Ideally, > on a client machine, I would like to mount /usr/src and /usr/obj > read-only so I can install world from there. > > For nfsv4, the export line says I need to specify the root directory > first. But I dont want to export all of / > > Is there no way to just export /usr/src and /usr/obj and nothing above > it ? > > It seems if I just have > > V4:/ > /usr/src /usr/obj -ro -network 192.168.0.0/16 > > 192.168.0.0/16 is able to mount / from the server which is not what I > want > > If I put V4:/usr it will work, but then 192.168.0.0/16 can still > access /usr/bin etc on the server. > > having an export file with JUST > > V4: / > > sort of makes sense in that no one can mount anything > > but progressing to > > V4:/ > /usr/src /usr/obj -ro -network 192.168.0.0/16 > > means that 192.168.0.0/16 can mount /usr/src and /usr/obj, but also / > which seems counter intuitive. > > The server's rc.conf is just > > > nfsv4_server_enable="YES"       # Enable support for NFSv4 > nfsv4_server_only="YES" > nfs_server_enable="YES" > > This is 13.1-STABLE. The server is UFS