From owner-freebsd-questions@freebsd.org  Fri Jul 24 11:10:28 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E315F361CA4
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 24 Jul 2020 11:10:28 +0000 (UTC)
 (envelope-from aryeh.friedman@gmail.com)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com
 [IPv6:2607:f8b0:4864:20::d2a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BCmhN5D2Gz4P4x;
 Fri, 24 Jul 2020 11:10:28 +0000 (UTC)
 (envelope-from aryeh.friedman@gmail.com)
Received: by mail-io1-xd2a.google.com with SMTP id p205so9392682iod.8;
 Fri, 24 Jul 2020 04:10:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=wWqptyWD+1J3Y7OwDvHDEAXQBNE2yehZEQrk01a6Of8=;
 b=ksX+wFgCtaXQ2tbZZ0ywiJFEMVrxOF9mM6LAJALW+ES5VflEOEhoBYaD3QeyCVlb6f
 j42SJyERkPFEoKVR3GQolbkwN5Smtha2rDhM03SkmIF+TNgJs4kxTYghATFpgPNBNkGj
 9Wta0/ttzntQQx4EEakUX0/V0AMLrZi4Nv1lDkFYMJg+icwfR9wzQ76C7ZnKT2xxo9G6
 Ei+5u4oUejgxyC8ZqFa9sksfvYFCvTS8A/K952dAc2r0A8fIkUplAYgVRtiWyk8Rsgx0
 eYfjBmrX5txJL76rluxfV8AcEiFKuSlxlR00m/iPsIWlEjMhcFrcVWXfG751jLNuO7Nq
 3P2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=wWqptyWD+1J3Y7OwDvHDEAXQBNE2yehZEQrk01a6Of8=;
 b=N1y0NkU3tFCwI/fAV8WT/NPqmOLGp3a423RPcgSWiCqci7kUpTFZpdH8BZcIjO8sj8
 x0OVYf/DP2BsEobDXEtDVhbqXtf20L4HwvAGsfb1SIjUiyXBlRJlfzm7tE6Sm1IV7W1p
 lg3woPUeyxSGWtMezZJsQ/u+OF889oAhDPELDLpR4feSqFsK4lz2B0/b9iaHWORkbhEl
 ekPMwVsGVrNpjkGadEjNOHuQ7nNZ+vmo6Aq1ScXCHeG9Da7DLWEZ5TtDr6s0OI2X+Q0F
 NKf6K+ThgkkJgVobtMsvlwS1jY8Hb6YZAY54ghFrLusIR9acYF0xJ4L9q3rH6uNWr7Cc
 0BSg==
X-Gm-Message-State: AOAM5309TTZsQOiqyu3KCtHwnkH8Da2CvhlpsHq8ma1Qfui4ruNnUE5D
 8cya0a3xctMT52qq8JYvmwshnmBvVij9A5FS34rcMG2J
X-Google-Smtp-Source: ABdhPJxX5c3aoURlR7DPiprAUIKg4M9dJ6M3UsDDsFbY1G1gBCXe82l4IxTN1ErGjTulgTtYb0WK6wJ6ho069/XY8FM=
X-Received: by 2002:a05:6602:220f:: with SMTP id
 n15mr9910999ion.103.1595589027643; 
 Fri, 24 Jul 2020 04:10:27 -0700 (PDT)
MIME-Version: 1.0
References: <20200214121620.GA80657@admin.sibptus.ru>
 <20200724032840.GA61047@admin.sibptus.ru>
 <bb4b45c49da2c1b3a4cb66512eb52b710c7d1da7.camel@adminart.net>
 <CAGBxaXnyWnVYVrrngMGXhpevRn5ZBou9kKcE-4EmDmfdgoXhUg@mail.gmail.com>
 <fe6ae329-16fd-825f-74cb-f84155b51c89@FreeBSD.org>
In-Reply-To: <fe6ae329-16fd-825f-74cb-f84155b51c89@FreeBSD.org>
From: Aryeh Friedman <aryeh.friedman@gmail.com>
Date: Fri, 24 Jul 2020 07:10:16 -0400
Message-ID: <CAGBxaX=KOGJxgD0fUDi9=38MGfVDABtNkGuF+cdcWQ+W=Wh7yw@mail.gmail.com>
Subject: Re: Technological advantages over Linux
To: Matthew Seaman <matthew@freebsd.org>
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
X-Rspamd-Queue-Id: 4BCmhN5D2Gz4P4x
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 TAGGED_FROM(0.00)[]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 11:10:29 -0000

On Fri, Jul 24, 2020 at 6:58 AM Matthew Seaman <matthew@freebsd.org> wrote:

> On 24/07/2020 11:17, Aryeh Friedman wrote:
> > On Thu, Jul 23, 2020 at 11:59 PM hw <hw@adminart.net> wrote:
> >
> >>
> >> You can add that NFS in FreeBSD is a catastrophy.  Bascially, you can
> only
> >> export whole file systems with permissions applying to the whole file
> >> system, and that practically makes NFS unusable.  That means
> >>
> >
> > Then please tell me server that it is not working according to your
> > incorrect pre-conceived notions that you got from god knows where (almost
> > certainly not actually trying them):
> >
> > aryeh@server% df -k
> > Filesystem         1024-blocks    Used     Avail Capacity  Mounted on
> > zroot/ROOT/default   746429772 8341664 738088108     1%    /
> > devfs                        1       1         0   100%    /dev
> > zroot/var/mail       738088368     260 738088108     0%    /var/mail
> > zroot                738088196      88 738088108     0%    /zroot
> > zroot/var/crash      738088196      88 738088108     0%    /var/crash
> > zroot/usr/home       743229452 5141344 738088108     1%    /usr/home
> > zroot/var/audit      738088196      88 738088108     0%    /var/audit
> > zroot/var/tmp        738088196      88 738088108     0%    /var/tmp
> > zroot/var/log        738089452    1344 738088108     0%    /var/log
> > zroot/tmp            738095972    7864 738088108     0%    /tmp
> > zroot/usr/src        739510796 1422688 738088108     0%    /usr/src
> > zroot/usr/ports      740825596 2737488 738088108     0%    /usr/ports
> > aryeh@server% cat /etc/exports
> > /usr/local/com -maproot=root -network 192.168.11/24
> > /usr/home -maproot=root -network 192.168.11/24
> > aryeh@server% logout
> > Connection to server.lan.fnwe.net closed.
> > Desktop@neomarx% df -k
> > Filesystem            1024-blocks      Used     Avail Capacity  Mounted
> on
> > /dev/ada1p2             964663364 689635324 197854972    78%    /
> > devfs                           1         1         0   100%    /dev
> > server:/usr/home        743229392   5141336 738088056     1%    /usr/home
> > server:/usr/local/com   746429720   8341664 738088056     1%
> >  /usr/local/com
> >
>
> While it is certainly possible to NFS export and mount subdirectories of
> a partition or ZFS, it is also something where there have been a number
> of exploits allowing a client machine to break out of the sub-tree
> allocated to it and see the contents of the rest of the partition.
>
> I don't think that is a current vulnerability in FreeBSD, but best
> practice IMHO is to put your exported directory trees into a different
> partition or partitions (ZFSes in this case) than the root of your host
> system -- particularly not in the same ZFS as /etc.
>

On an isolated (double NAT'ed and firewalled) LAN that only trusted users
use (my significant other is also a programmer and thus I trust them
completely) it shouldn't matter all that much (besides for the truly
paranoid).   Also devel/aegis requires /usr/local/com to be on the
available universally to any NFS clients that use aegis (and despite being
the maintainer I have not found a "easy" way to allow this to be
configurable)  and it has to be in the same logical file system as the
aegis executables (/usr/local/bin).

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org