Date: Mon, 4 Jan 1999 22:56:09 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: patton@sysnet.net (Matthew Patton) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NFS loopback mounts Message-ID: <199901042256.PAA21649@usr05.primenet.com> In-Reply-To: <l0311070cb2a8c196440e@[192.168.1.10]> from "Matthew Patton" at Dec 25, 98 00:03:06 am
next in thread | previous in thread | raw e-mail | index | archive | help
[ ... loopback mounts ... ] > I was doing a 'make update' (cvsup) on /usr/src and NFS consistantly went > out to lnuch on fortunes.dat (first file of notable size). Whatever it did, > it took out all NFS exporting which led to hung machines on my little > network. Tracking the cause of this down would be a good idea. This contradicts the theory that all such hangs are not the result of a faulty state machine, but the result of lost RPC packets not being correctly retried after the RPC ack but before the RPC response (this is a well known protocol design error -- in fact, it is the source of the FIN-WAIT-2 problem in TCP). With the client and server the same machine, and using the loopback interface, it can't be "lost packets". > Now onto a mountd question. I've noticed the different behavior exhibited > by the 3 more popular free unix's. If no host is specified in /etc/exports, > OpenBSD tosses the line, FreeBSD defaults to everyone (with whatever > options provided), and Linux uses everyone but explicitely changes the > mount type to be anonymous (nosuid, nodev etc). I think the Linux guys for > once came up with the best solution. Is there any interest in folding in > the Linux everyone=anonymous behavior? I think that the default should be whatever you specify. I was under the impression that an empty /etc/exports would start the daemons, but not export anything. If things are getting exported, then this is broken. The problem is probably in the per FS code that handles NFS export notification. This code should be moved to a higher level, but that would require moving the mapping of the mounted FS's to a higher level. In the current code, the mount point covering and the NFS export code are in the per FS mount code (hence the inability to NFS export some FS types. Basically, this would mean that the FS specific mount code should not know where in the hierarchy the FS is being mounted, and the vnode covering should be handled in the upper level code. Effectively, this is a pretty trivial change to make, and it greatly simplifies the root mount code at the same time. The result is all FS's are NFS exportable and all FS's can be mounted as the root FS. The only complication is that FS's with a "last mounted on" field (like FFS) would need a VOP_LASTMOUNTEDON() to allow the setting of the string into the superblock after the mapping into the hierarchy. > Likewise Free/OpenBSD lack the ability to export filesystems except at > their mount points. Right now I have to export all of /export/2 (above) > with the -alldirs flag instead of something like /export/2/FreeBSD -options. This is a security consideration. Basically, if you specify a subdirectory, then you provide an nfsnode that represents an inode not at the root of the device. The problem with this is that you are then able to start a sequence at a mountpoint other than the root. This can effectively defeat user/group based protections on directories that depend on the remote user traversing to the directory from the root directory of the exported FS. There is actually a CERT advisory (againse SunOS 4.1.2, I think) about this problem. You are intentionally defeating a number of security protections (three, from memory) by allowing inferior directories with inode numbers other than 2 to be accessed directly. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901042256.PAA21649>