NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/45556: Two problems with NFS server.



The following reply was made to PR bin/45556; it has been noted by GNATS.

From: David Laight <david%l8s.co.uk@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: bin/45556: Two problems with NFS server.
Date: Wed, 2 Nov 2011 08:24:09 +0000

 On Wed, Nov 02, 2011 at 06:15:04AM +0000, matthew green wrote:
 > The following reply was made to PR bin/45556; it has been noted by GNATS.
 > 
 > From: matthew green <mrg%eterna.com.au@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
 > Subject: re: bin/45556: Two problems with NFS server.
 > Date: Wed, 02 Nov 2011 17:10:19 +1100
 > 
 >  i guess your /long and /longer are both on /?  this isn't how NFS works.
 >  see, eg from exports(5):
 >  
 >       space.  The second is to specify the pathname of the root of the 
 > filesys-
 >       tem followed by the -alldirs flag; this form allows the host(s) to 
 > mount
 >       at any point within the filesystem, including regular files.  Note that
 >       the -alldirs option should not be used as a security measure to make
 >       clients mount only those subdirectories that they should have access 
 > to.
 >       A client can still access the whole filesystem via individual RPCs if 
 > it
 >       wanted to, even if just one subdirectory has been mounted.  The 
 > pathnames
 >  
 >  you can really only apply exports across an actual filesystem.
 
 That note is probably their because the client can fake up file handles
 to other parts of the filesystem. I believe a well behaved client can
 only access the exported part of the file system.
 (Faking file handles is a little harder now the generation number
 is randomised!)
 
 Netbsd might check access permissions more often but I've seen systems
 that only checked during mount. This meant:
 1) If you export part of a filesystem, you export all of it.
 2) If you give any remote system access, you give all systems access.
 3) If you give any system write access, you give all systems write access.
 
        David
 
 -- 
 David Laight: david%l8s.co.uk@localhost
 


Home | Main Index | Thread Index | Old Index