Date: Sun, 07 Oct 2001 19:05:40 +0100 From: Ian Dowse <iedowse@maths.tcd.ie> To: freebsd-questions@freebsd.org, pcc@gmx.net Subject: Re: Another one chokes with /etc/exports ... Message-ID: <200110071905.aa52971@salmon.maths.tcd.ie> In-Reply-To: Your message of "Sun, 07 Oct 2001 10:28:27 %2B0200." <20011007102827.A7475@akk3.akk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20011007102827.A7475@akk3.akk.org>, Peter Cornelius writes: > >... I seem to continiously trick myself trying to rewrite my /etc/exports. >Done this before. Can't be that hard. I thought. Have dealt with a diskless >client a few times. I'm a crack. I thought. As it seems, it has always been >a single nfs client, so I never got my toes trodden on. And much of this has >been before Release 3. However, I don't like my feet feeling flat, and now >I wanna know. Much of the problem with /etc/exports is that the syntax gives the impression that you can have much more fine-grained control over exports than is actually possible. NFS access control essentially consists of one rule per local filesystem, per remote host. Once any part of a local filesystem is exported to a particular remote host, that remote host effectively has access to the whole local filesystem, even if you only allow mounting from particular nodes within the filesystem. Access is of course restricted by -ro/-maproot/-mapall settings too. So if /usr is a single filesystem and you have an entry in /etc/exports that reads /usr/home /usr/foo/bar /usr/foo2/bar1 host1 then from a security point of view, you might as well have: /usr -alldirs host1 Specifying a list of nodes within a single filesystem limits what directories can be used in a mount operation on the remote host, but the remote host could still get the filehandle for /usr/foo/bar and repeatedly look up ".." to get to the root of the exported filesystem (you need a special nfs client to do this). It seems that for your configuration, the best you can do is equivalent to having just the line: /usr -alldirs -maproot=0:0 petra router luis If you want tighter access control, you will need to split up /usr into different filesystems. That is unfortunately just the way NFS works. It might be possible to implement a system that virtualises the view of the filesystem exported to the remote client to "fix" this, but doing this would be quite a lot of work. (NFS requests from the client contain a filehandle that specifies which file is being accessed. From the filehandle, the NFS server code extracts a filesystem and an inode. It checks if the sender of the request is allowed to perform the requested operation on the filesystem specified by the filehandle, and if so it does it. There is no mechanism in place that could determine whether the client is allowed access to a particular inode; the NFS server in the kernel isn't even told what directories in a filesystem are exported, and even if it was, checking that an inode is within an allowed directory is not easy). Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi? <200110071905.aa52971>