From owner-freebsd-current  Sun Aug  1 21:22:16 1999
Delivered-To: freebsd-current@freebsd.org
Received: from cs.rpi.edu (mumble.cs.rpi.edu [128.213.8.16])
	by hub.freebsd.org (Postfix) with ESMTP id 9665B14E82
	for <freebsd-current@FreeBSD.ORG>; Sun,  1 Aug 1999 21:22:14 -0700 (PDT)
	(envelope-from crossd@cs.rpi.edu)
Received: from cs.rpi.edu (phoenix.cs.rpi.edu [128.113.96.153])
	by cs.rpi.edu (8.9.3/8.9.3) with ESMTP id AAA65570;
	Mon, 2 Aug 1999 00:21:46 -0400 (EDT)
Message-Id: <199908020421.AAA65570@cs.rpi.edu>
To: Jason Young <doogie@anet-stl.com>
Cc: Kevin Day <toasty@dragondata.com>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Martin Blapp <blapp@attic.ch>, freebsd-current@FreeBSD.ORG,
	crossd@cs.rpi.edu
Subject: Re: mountpoint locking with fbsd-nfs 
In-Reply-To: Message from Jason Young <doogie@anet-stl.com> 
   of "Sun, 01 Aug 1999 23:01:01 CDT." <Pine.BSF.3.96.990801225104.6535C-100000@earth.anet-stl.com> 
Date: Mon, 02 Aug 1999 00:21:43 -0400
From: "David E. Cross" <crossd@cs.rpi.edu>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> IIRC, mount permissions (i.e., what IP addresses, root UID mangling, etc) 
> are set per filesystem. Given a filesystem structure like this: 
> 
> > df
> Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
> /dev/da0s1a    127023    27151    89711    23%    /
> /dev/ccd0c    8321099  2391764  5263648    31%    /home
> /dev/da0s1e   2032623   732806  1137208    39%    /usr
> /dev/da1s1f   2032623   816051  1053963    44%    /var
> /dev/ccd1c    4001742  1571210  2110393    43%    /var/mail
> procfs              4        4        0   100%    /proc
> 
> You can only set IP addresses to be exported to and other options only
> once for the /usr filesystem, once for the /var filesystem, etc. 
> 
> This doesn't mean if I export /home/doogie to 192.168.40.1 that that IP
> address can mount /home. Mount still controls the mountpoints allowed. 
> 
> If you want to export multiple mountpoints of the same filesystem, you
> need to specify them all on one line with one options set. Like this:
> 
>  /home/doogie /home/joebob /home/luser -maproot=0:0 testbox.accessus.net
> 
> Jason Young
> accessUS Chief Network Engineer
> 
> PS: I just realized the manpage disagrees with this; it has multiple
> exports lines for the same filesystem. I believe the manpage is wrong, at
> least in that it doesn't reflect reality.  Comments from anybody? 

If you have /home as a filesystem and you export /home/userj to the machine
'foo'.  'foo', in reality has access to all of home, it is the reality of
how NFS "works".  In reflecting this, it kinda makes sense to place the access
controls on the filesystem itself, since that is the only thing that is
realistically determinable to the nfs "daemon"  <-- term used lightly.

I believe that it is OK to have the following:

/usr -ro badhost
/usr goodhost

(as long as the permissions are not contradictory it is ok)... In fact we
use that alot here.  We run into problems here because we use netgroups
and will have a single machine in multiple netgroups... ala:

/share -ro freebsd3
/share trusted

where trusted and freebsd3 share a couple of memebers, and the mountd chokes
trying to resolve the conflict.

--
David Cross                               | email: crossd@cs.rpi.edu 
Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd 
Rensselaer Polytechnic Institute,         | Ph: 518.276.2860            
Department of Computer Science            | Fax: 518.276.4033
I speak only for myself.                  | WinNT:Linux::Linux:FreeBSD


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message