Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Jul 2020 11:57:51 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Technological advantages over Linux
Message-ID:  <fe6ae329-16fd-825f-74cb-f84155b51c89@FreeBSD.org>
In-Reply-To: <CAGBxaXnyWnVYVrrngMGXhpevRn5ZBou9kKcE-4EmDmfdgoXhUg@mail.gmail.com>
References:  <20200214121620.GA80657@admin.sibptus.ru> <20200724032840.GA61047@admin.sibptus.ru> <bb4b45c49da2c1b3a4cb66512eb52b710c7d1da7.camel@adminart.net> <CAGBxaXnyWnVYVrrngMGXhpevRn5ZBou9kKcE-4EmDmfdgoXhUg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--EkJ1yU6Su6k5YlwaNsgPNNIKS36NlZgP7
Content-Type: multipart/mixed; boundary="OMmndxJtU6WZI4jC18UKGfdnWAc4GlfIw"

--OMmndxJtU6WZI4jC18UKGfdnWAc4GlfIw
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 24/07/2020 11:17, Aryeh Friedman wrote:
> On Thu, Jul 23, 2020 at 11:59 PM hw <hw@adminart.net> wrote:
>=20
>>
>> You can add that NFS in FreeBSD is a catastrophy.  Bascially, you can =
only
>> export whole file systems with permissions applying to the whole file
>> system, and that practically makes NFS unusable.  That means
>>
>=20
> Then please tell me server that it is not working according to your
> incorrect pre-conceived notions that you got from god knows where (almo=
st
> certainly not actually trying them):
>=20
> aryeh@server% df -k
> Filesystem         1024-blocks    Used     Avail Capacity  Mounted on
> zroot/ROOT/default   746429772 8341664 738088108     1%    /
> devfs                        1       1         0   100%    /dev
> zroot/var/mail       738088368     260 738088108     0%    /var/mail
> zroot                738088196      88 738088108     0%    /zroot
> zroot/var/crash      738088196      88 738088108     0%    /var/crash
> zroot/usr/home       743229452 5141344 738088108     1%    /usr/home
> zroot/var/audit      738088196      88 738088108     0%    /var/audit
> zroot/var/tmp        738088196      88 738088108     0%    /var/tmp
> zroot/var/log        738089452    1344 738088108     0%    /var/log
> zroot/tmp            738095972    7864 738088108     0%    /tmp
> zroot/usr/src        739510796 1422688 738088108     0%    /usr/src
> zroot/usr/ports      740825596 2737488 738088108     0%    /usr/ports
> aryeh@server% cat /etc/exports
> /usr/local/com -maproot=3Droot -network 192.168.11/24
> /usr/home -maproot=3Droot -network 192.168.11/24
> aryeh@server% logout
> Connection to server.lan.fnwe.net closed.
> Desktop@neomarx% df -k
> Filesystem            1024-blocks      Used     Avail Capacity  Mounted=
 on
> /dev/ada1p2             964663364 689635324 197854972    78%    /
> devfs                           1         1         0   100%    /dev
> server:/usr/home        743229392   5141336 738088056     1%    /usr/ho=
me
> server:/usr/local/com   746429720   8341664 738088056     1%
>  /usr/local/com
>=20

While it is certainly possible to NFS export and mount subdirectories of
a partition or ZFS, it is also something where there have been a number
of exploits allowing a client machine to break out of the sub-tree
allocated to it and see the contents of the rest of the partition.

I don't think that is a current vulnerability in FreeBSD, but best
practice IMHO is to put your exported directory trees into a different
partition or partitions (ZFSes in this case) than the root of your host
system -- particularly not in the same ZFS as /etc.

	Cheers,

	Matthew


--OMmndxJtU6WZI4jC18UKGfdnWAc4GlfIw--

--EkJ1yU6Su6k5YlwaNsgPNNIKS36NlZgP7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAl8avq9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5
RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp
5Of1Mg//TCa1+ixdQpvrg8yUzSJG+e6IgTMfmOp/qNVMvLsa8zu4WbpoRBvfNiVw
oiI7WvZfwJr3HerBBdVON+sdLVl30lvfz9RUCwCfleEQ+DIR4X7ijBnMWp/zpnx+
WPJy4MZiArH2mN2jOrKUyzo4IDxfDQvj2lsHdAzQulVlvjxlD7a09keWTlM0Lvol
WVEzPAAo18VLVj/NHy4/LXWPRhIl4G8/MGmbM0PhQcCrk3fF5xPSXxhcSsfOJS5P
+OUs25dTR+kKN1BYIGysvaePCML68+Q6LcTeCh4dAdv6Wpa86WpGaQj6nzV2Iyic
4tfPcjCAcnXN8YMcXgAvnoM7xNHLVfsWRz7VxSt2cto2FJz9NdsL0jho+X9yS5nd
nJnmtKaBtt3WpMAGanZ8E8L3xS2yKuqrO0YK9Tsq8LV3H+AQTq2Br3W9kgvUsqHM
rksk3DJBhbAzLXPEWmokZhIJQDCYX7RvAowj7S9rF1B5hKioxKX2k9xriYgMCvKa
JXqROy+xarNs6gL5UtM6ti+pvTVHQjN6d7FcnzasIY17w3eTXh+uP9RjhmwBA7ZE
Kkz8gMRm+4DGgJDADTfHfeIRjssZteLF3EXZd9s3KTFzqPicWPF9+4pjfYbpJP8V
xyUdY6lOdq95za+VkUYZVaifM1if28n1mwuctZBEfXIl0FKeYMk=
=7msV
-----END PGP SIGNATURE-----

--EkJ1yU6Su6k5YlwaNsgPNNIKS36NlZgP7--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe6ae329-16fd-825f-74cb-f84155b51c89>