Subject: Re: exporting -ro nfs
To: None <netbsd-users@NetBSD.org>
From: George Georgalis <george@galis.org>
List: netbsd-users
Date: 01/25/2007 13:06:48
On Thu, Jan 25, 2007 at 09:17:16AM -0800, Bill Studenmund wrote:
>On Thu, Jan 18, 2007 at 12:51:24PM +0100, Hauke Fath wrote:
>> Am 17.01.2007 um 21:43 Uhr -0500 schrieb George Georgalis:
>> >I'm having trouble writing an /etc/exports file for
>> >a read-only mount point. I'd expect it something
>> >like:
>> >
>> >/host/software -maproot=nobody:nobody -ro -network 10/8
>> >
>> >but on the target host, that yeilds
>> >
>> >mount_nfs: can't access /host/software: Permission denied
>> >
>> >while other rw /host/* exports mount fine. What exactly is
>> >the syntax for a ro export?
>> 
>> Let me guess: The /host/* exports are on the same filesystem?
>> 
>> You cannot export directories from one filesystem with differing 
>> credentials (like rw/ro, different access control liste, etc.). A 
>> workaround is to use null mounts, and export those.
>
>The problem with doing this is that you don't really gain much. Maybe we 
>should just turn off the restructions we have.
>
>The problem is that the NFS server code can't tell if a file handle
>corresponds to a file under a given mount point or not when you have
>multiple exposed mount points in one file system. So say you had one
>directory in an fs exposed read-write and another read-only. If an 
>attacker took a file handle from the r/o mount and used it via the r/w 
>mount point, the corresponding file can be modified even though the 
>initial layout would say it wouldn't.
>
>Null mounts don't change this as the file-system-specific part of our file 
>handles are the same between a null mount and the underlying file system. 
>So given a file handle from the null mount, you can figure out the file 
>handle for the same file for the non-nullfs fs.

bummer. we use the convention "/$(hostname)" to identify
the physical media an export is from. /$(hostname)/software
and /$(hostname)/home really need different write permissions.
Maybe I could use smb://$(hostname)/software

but from what you are saying, if I only export /$(hostname)/home
(rw) and /$(hostname) is a single filesystem, does that mean
/$(hostname)/* is available rw, by file handle???


>Perhaps the solution is to make the code be VERY clear that we will permit 
>you to have differing export ability but that the laxest restrictions 
>apply to the whole file system. As in we have the kernel remember the 
>laxest permissions on an export and if you add an additional export that 
>makes the permissions laxer, we emit a kernel warning message. Hmmm... 

apparently we can do that with loopback. I'd prefer 'permission denied,
filesystem already exported rw' or some such, but I'm not sure the client
would be able to tell that.


>We also probably want to track the tightest too. So if you have a mount 
>exported r/o and add a r/w mount, or if you have a r/w mount and add a r/o 
>mount, the kernel mentions that your file system security may not be what 
>you expect. Adding a second such mount shouldn't emit a message, though.
>
>Thoughts?

you cannot explain everything to everyone. it would be nice to do what I want
but it sounds like the NFS cannot. that's all I need to know. let's not fudge
up some help, least someone grow to expect 'are you sure you want to rm -rf'.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><