Date: Fri, 24 Jul 2020 07:10:16 -0400 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Technological advantages over Linux Message-ID: <CAGBxaX=KOGJxgD0fUDi9=38MGfVDABtNkGuF%2BcdcWQ%2BW=Wh7yw@mail.gmail.com> In-Reply-To: <fe6ae329-16fd-825f-74cb-f84155b51c89@FreeBSD.org> References: <20200214121620.GA80657@admin.sibptus.ru> <20200724032840.GA61047@admin.sibptus.ru> <bb4b45c49da2c1b3a4cb66512eb52b710c7d1da7.camel@adminart.net> <CAGBxaXnyWnVYVrrngMGXhpevRn5ZBou9kKcE-4EmDmfdgoXhUg@mail.gmail.com> <fe6ae329-16fd-825f-74cb-f84155b51c89@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2020 at 6:58 AM Matthew Seaman <matthew@freebsd.org> wrote: > On 24/07/2020 11:17, Aryeh Friedman wrote: > > On Thu, Jul 23, 2020 at 11:59 PM hw <hw@adminart.net> wrote: > > > >> > >> You can add that NFS in FreeBSD is a catastrophy. Bascially, you can > only > >> export whole file systems with permissions applying to the whole file > >> system, and that practically makes NFS unusable. That means > >> > > > > Then please tell me server that it is not working according to your > > incorrect pre-conceived notions that you got from god knows where (almost > > certainly not actually trying them): > > > > aryeh@server% df -k > > Filesystem 1024-blocks Used Avail Capacity Mounted on > > zroot/ROOT/default 746429772 8341664 738088108 1% / > > devfs 1 1 0 100% /dev > > zroot/var/mail 738088368 260 738088108 0% /var/mail > > zroot 738088196 88 738088108 0% /zroot > > zroot/var/crash 738088196 88 738088108 0% /var/crash > > zroot/usr/home 743229452 5141344 738088108 1% /usr/home > > zroot/var/audit 738088196 88 738088108 0% /var/audit > > zroot/var/tmp 738088196 88 738088108 0% /var/tmp > > zroot/var/log 738089452 1344 738088108 0% /var/log > > zroot/tmp 738095972 7864 738088108 0% /tmp > > zroot/usr/src 739510796 1422688 738088108 0% /usr/src > > zroot/usr/ports 740825596 2737488 738088108 0% /usr/ports > > aryeh@server% cat /etc/exports > > /usr/local/com -maproot=root -network 192.168.11/24 > > /usr/home -maproot=root -network 192.168.11/24 > > aryeh@server% logout > > Connection to server.lan.fnwe.net closed. > > Desktop@neomarx% df -k > > Filesystem 1024-blocks Used Avail Capacity Mounted > on > > /dev/ada1p2 964663364 689635324 197854972 78% / > > devfs 1 1 0 100% /dev > > server:/usr/home 743229392 5141336 738088056 1% /usr/home > > server:/usr/local/com 746429720 8341664 738088056 1% > > /usr/local/com > > > > While it is certainly possible to NFS export and mount subdirectories of > a partition or ZFS, it is also something where there have been a number > of exploits allowing a client machine to break out of the sub-tree > allocated to it and see the contents of the rest of the partition. > > I don't think that is a current vulnerability in FreeBSD, but best > practice IMHO is to put your exported directory trees into a different > partition or partitions (ZFSes in this case) than the root of your host > system -- particularly not in the same ZFS as /etc. > On an isolated (double NAT'ed and firewalled) LAN that only trusted users use (my significant other is also a programmer and thus I trust them completely) it shouldn't matter all that much (besides for the truly paranoid). Also devel/aegis requires /usr/local/com to be on the available universally to any NFS clients that use aegis (and despite being the maintainer I have not found a "easy" way to allow this to be configurable) and it has to be in the same logical file system as the aegis executables (/usr/local/bin). -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaX=KOGJxgD0fUDi9=38MGfVDABtNkGuF%2BcdcWQ%2BW=Wh7yw>