[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/tests/fs/common
On Fri, Dec 31, 2010 at 07:45:26PM +0000, David Laight wrote:
> >From what I remember of the NFS protocol, the following 'rules' applied:
> 1) If you export part of a filesystem, you export all of the filesystem.
that's probably trye
> 2) If you give anyone access, you give everyone access.
> 3) If you give anyone write access, you give everyone write access.
these 2 are not true for NetBSD I think
> This is all because it is the 'mount' protocol that verifies whether
> a client has access - so a client that disobeys the mount protocol, or
> fakes up valid nfs file handles can avoid the access checks.
This was true for the SunOS 4 nfs implementation (and maybe other
implementations derived from the same base), but for NetBSD, some checks are
done at the nfsd level: the source IP address from the NFS request is
checked against the export list, as well as the R/O status for a write
request (and other things such as the uid root is mapped to).
So if you consider IP address are not spoofables in your environnement,
IP-based access and write permissions are fine.
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
Main Index |
Thread Index |