Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/tests/fs/common

On Fri, Dec 31, 2010 at 07:45:26PM +0000, David Laight wrote:
> [...]
> >From what I remember of the NFS protocol, the following 'rules' applied:
> 1) If you export part of a filesystem, you export all of the filesystem.

that's probably trye

> 2) If you give anyone access, you give everyone access.
> 3) If you give anyone write access, you give everyone write access.

these 2 are not true for NetBSD I think

> This is all because it is the 'mount' protocol that verifies whether
> a client has access - so a client that disobeys the mount protocol, or
> fakes up valid nfs file handles can avoid the access checks.

This was true for the SunOS 4 nfs implementation (and maybe other
implementations derived from the same base), but for NetBSD, some checks are
done at the nfsd level: the source IP address from the NFS request is
checked against the export list, as well as the R/O status for a write
request (and other things such as the uid root is mapped to).
So if you consider IP address are not spoofables in your environnement,
IP-based access and write permissions are fine.

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index