Subject: bin/26890: /etc/security NFS export check does not recognize -network
To: None <>
From: None <>
List: netbsd-bugs
Date: 09/09/2004 07:14:22
>Number:         26890
>Category:       bin
>Synopsis:       /etc/security NFS export check does not recognize -network
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 09 07:15:00 UTC 2004
>Originator:     Arto Selonen
>Release:        NetBSD-current ~20040901
NetBSD blah 2.0G NetBSD 2.0G (BLAH) #0: Wed Sep  1 13:34:16 EEST 2004  blah@blah:/obj/sys/arch/i386/compile/BLAH i386

exports(5) manual page describes three ways to define who can mount the
exported file system. Two of them just list hostnames or netgroup names,
but the third one uses "-network=" form, which is ignored by /etc/security
awk script. This means that file systems exported to limited networks
will be reported as globally exported. Furthermore, if they are exported
to more than one different network, they are listed multiple times.

Create eg. the following /etc/exports

   /fake/filesystem  -ro  -network= -mask

and run /etc/security. Observe that the file system is reported as
globally exported.
The following patch will ignore exported file systems if they have
"-network" in them:

*** security.orig       Wed Sep  1 15:41:14 2004
--- security    Thu Sep  9 09:56:57 2004
*** 581,586 ****
--- 581,588 ----
                for (i = 2; i <= NF; ++i) {
                        if ($i ~ /-ro/)
                                readonly = 1;
+                       else if ($i ~ /^-network/)
+                               next;
                        else if ($i !~ /^-/)

Note that if one exports file systems to "-network=" it will
be ignored even though it is effectively globally exported. Such
false negatives probably are quite rare compared to current false positive matches.