Date: Wed, 16 Oct 2013 11:28:05 +0200 From: Andrea Venturoli <ml@netfence.it> To: freebsd-questions@freebsd.org Subject: NFSv4 security Message-ID: <525E5C25.5070305@netfence.it>
next in thread | raw e-mail | index | archive | help
Hello. Since I replaced my server with a 9.2 one, I'm playing with NFSv4 to test it. However something does not work as I expect and I'm not sure if I understand it correctly or am doing some mistake. Server side, this was my export: >/usr/home /usr/ports -maproot=root 192.168.0.15 To enable NFSv4, I changed it like this: >V4:/ 192.168.0.15 >/usr/home /usr/ports -maproot=root 192.168.0.15 (Of course, in the example above, I could root V4 at /usr, but this is going to grow; besides, this is not the point). Now, on the client, I can: >mount -o nfsv4 192.168.0.1:/usr/ports /mnt/temp/ or >mount -o nfsv4 192.168.0.1:/usr/home /mnt/temp/ Both work. Now, let's try to break in, going where I don't think I should be able to go. >mount -o nfsv4 192.168.0.1:/ /mnt/temp/ This is allowed; no surprises; quoting "man nfsv4": > The > nfsd(8) allows a limited subset of operations to be performed on non- > exported subtrees of the local file system, so that traversal of the tree > to the exported subtrees is possible. Well, let's try it: > # ls /mnt/temp/ (no output) Fine. > # ls /mnt/temp/usr > .snap bin games home include lib lib32 libdata libexec local obj ports sbin share src Strange, I though I would get an empty list here, too (!!!!). > # ls /mnt/temp/usr/bin/ > CC chsh file ipcs mailq pawd soelim users > Mail ci file2c jobs mailx perl sort uudecode > addftinfo cksum find join make perl5 split uuencode > addr2line clang finger jot makeinfo perror sscop vacation > afmtodit clang++ flex kadmin makewhatis pfbtops ssh verify_krb5_conf > ... What??? /usr/bin is not needed to get to /usr/home or /usr/ports/. > # touch /mnt/temp/usr/bin/newbin > # ls /mnt/temp/usr/bin/|grep newbin > newbin Hell! This is NOT supposed to work, as far as I understand it. Why this? Did I understang the docs wrong? (Besides, can someone give any link to a good description of how and why this tree thing was introduced?). Is this some sort of interaction with older NFS? Is something wrong with the following fragment of my server-side rc.conf: > #New NFSv4 config > rpcbind_enable="YES" > rpcbind_flags="-ls" > nfs_server_enable="YES" > nfsv4_server_enable="YES" > nfsuserd_enable="YES" > #Old NFSv3 config, might be removed in the future > nfs_server_flags="-u -n 8 -t" > nfs_reserved_port_only="YES" > rpc_statd_enable="YES" > rpc_statd_flags="-p 918" > rpc_lockd_enable="YES" > rpc_lockd_flags="-p 868" > #mountd_enable="YES" > mountd_flags="-p 685" bye & Thanks av.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?525E5C25.5070305>