NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
misc/58063: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
>Number: 58063
>Category: misc
>Synopsis: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: misc-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 21 21:45:00 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9, 8, ...
>Organization:
The NfsBSD Foundation
>Environment:
>Description:
nfs provides very limited security boundaries, and always has. The transport layer has no secrecy or authentication.
- Preventing writes by nfs clients requires that the _file system_ be mounted read only; it is not enough to mark it read-only through /etc/exports options: https://gnats.netbsd.org/3019
- Preventing access to files in one part of a file system requires that the _file system_ the files live on not be exported; it is not enough to export a different subtree of the file system -- exporting a subtree requires the `-alldirs' option which effectively exports the whole file system. (nullfs doesn't help here because it passes fhandles through verbatim.)
So if you have a single / partition that includes /bin, /etc, and /home, you probably shouldn't try to export /home unless you trust the nfs clients not to overwrite /bin -- you need a separate /home partition.
This is explained in the exports(5) man page, but it's not very clear:
In a mount entry, the first field(s) specify the directory path(s) within
a server filesystem that can be mounted on by the corresponding
client(s). There are two forms of this specification. The first is to
list all mount points as absolute directory paths separated by white-
space. The second is to specify the pathname of the root of the filesys-
tem followed by the -alldirs flag; this form allows the host(s) to mount
at any point within the filesystem, including regular files. Note that
the -alldirs option should not be used as a security measure to make
clients mount only those subdirectories that they should have access to.
A client can still access the whole filesystem via individual RPCs if it
wanted to, even if just one subdirectory has been mounted.
[...]
The export options are tied to the local mount points in the kernel and
must be non-contradictory for any exported subdirectory of the local
server mount point.
https://man.NetBSD.org/exports.5
>How-To-Repeat:
man exports
read https://www.netbsd.org/docs/guide/en/chap-net-services.html#chap-net-services-nfs
>Fix:
Yes, please!
Home |
Main Index |
Thread Index |
Old Index