misc/58063: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: misc/58063: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
From: campbell+netbsd%mumble.net@localhost
Date: Thu, 21 Mar 2024 21:45:00 +0000 (UTC)

>Number:         58063
>Category:       misc
>Synopsis:       nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 21 21:45:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, 8, ...
>Organization:
The NfsBSD Foundation
>Environment:
>Description:
nfs provides very limited security boundaries, and always has.  The transport layer has no secrecy or authentication.

- Preventing writes by nfs clients requires that the _file system_ be mounted read only; it is not enough to mark it read-only through /etc/exports options: https://gnats.netbsd.org/3019

- Preventing access to files in one part of a file system requires that the _file system_ the files live on not be exported; it is not enough to export a different subtree of the file system -- exporting a subtree requires the `-alldirs' option which effectively exports the whole file system.  (nullfs doesn't help here because it passes fhandles through verbatim.)

So if you have a single / partition that includes /bin, /etc, and /home, you probably shouldn't try to export /home unless you trust the nfs clients not to overwrite /bin -- you need a separate /home partition.

This is explained in the exports(5) man page, but it's not very clear:

     In a mount entry, the first field(s) specify the directory path(s) within
     a server filesystem that can be mounted on by the corresponding
     client(s).  There are two forms of this specification.  The first is to
     list all mount points as absolute directory paths separated by white-
     space.  The second is to specify the pathname of the root of the filesys-
     tem followed by the -alldirs flag; this form allows the host(s) to mount
     at any point within the filesystem, including regular files.  Note that
     the -alldirs option should not be used as a security measure to make
     clients mount only those subdirectories that they should have access to.
     A client can still access the whole filesystem via individual RPCs if it
     wanted to, even if just one subdirectory has been mounted.

     [...]

     The export options are tied to the local mount points in the kernel and
     must be non-contradictory for any exported subdirectory of the local
     server mount point.

https://man.NetBSD.org/exports.5
>How-To-Repeat:
man exports

read https://www.netbsd.org/docs/guide/en/chap-net-services.html#chap-net-services-nfs
>Fix:
Yes, please!

Prev by Date: install/58062: sysinst doesn't seem to react ftp protocol config on "pkgin" installation
Next by Date: kern/58064: missing NFSv4 support
Previous by Thread: install/58062: sysinst doesn't seem to react ftp protocol config on "pkgin" installation
Next by Thread: kern/58064: missing NFSv4 support
Indexes:

Home | Main Index | Thread Index | Old Index