Re: bin/45556: Two problems with NFS server.

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,cheusov%tut.by@localhost
Subject: Re: bin/45556: Two problems with NFS server.
From: David Laight <david%l8s.co.uk@localhost>
Date: Wed, 2 Nov 2011 08:25:02 +0000 (UTC)

The following reply was made to PR bin/45556; it has been noted by GNATS.

From: David Laight <david%l8s.co.uk@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: bin/45556: Two problems with NFS server.
Date: Wed, 2 Nov 2011 08:24:09 +0000

 On Wed, Nov 02, 2011 at 06:15:04AM +0000, matthew green wrote:
 > The following reply was made to PR bin/45556; it has been noted by GNATS.
 > 
 > From: matthew green <mrg%eterna.com.au@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
 > Subject: re: bin/45556: Two problems with NFS server.
 > Date: Wed, 02 Nov 2011 17:10:19 +1100
 > 
 >  i guess your /long and /longer are both on /?  this isn't how NFS works.
 >  see, eg from exports(5):
 >  
 >       space.  The second is to specify the pathname of the root of the 
 > filesys-
 >       tem followed by the -alldirs flag; this form allows the host(s) to 
 > mount
 >       at any point within the filesystem, including regular files.  Note that
 >       the -alldirs option should not be used as a security measure to make
 >       clients mount only those subdirectories that they should have access 
 > to.
 >       A client can still access the whole filesystem via individual RPCs if 
 > it
 >       wanted to, even if just one subdirectory has been mounted.  The 
 > pathnames
 >  
 >  you can really only apply exports across an actual filesystem.

 That note is probably their because the client can fake up file handles
 to other parts of the filesystem. I believe a well behaved client can
 only access the exported part of the file system.
 (Faking file handles is a little harder now the generation number
 is randomised!)

 Netbsd might check access permissions more often but I've seen systems
 that only checked during mount. This meant:
 1) If you export part of a filesystem, you export all of it.
 2) If you give any remote system access, you give all systems access.
 3) If you give any system write access, you give all systems write access.

        David

 -- 
 David Laight: david%l8s.co.uk@localhost

Prev by Date: Re: bin/45556: Two problems with NFS server.
Next by Date: Re: bin/45556 (nfs problem. --alldirs works incorrectly)
Previous by Thread: Re: bin/45556: Two problems with NFS server.
Next by Thread: Re: bin/45556 (nfs problem. --alldirs works incorrectly)
Indexes:

Home | Main Index | Thread Index | Old Index