Date: Mon, 28 Jul 2014 13:04:38 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages Message-ID: <53D6ACD6.2030204@pinyon.org> In-Reply-To: <43564051.4211288.1406552134888.JavaMail.root@uoguelph.ca> References: <43564051.4211288.1406552134888.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/28/14 05:55, Rick Macklem wrote: > Assuming /export is one file system on the server, put all > the exports in a single entry, something like: > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > /export/usr/src /export/usr/obj /export/usr/ports /export/packages /export/library -maproot=root > > OR you can just allow the clients to mount any location > within the server file system using -alldirs like: > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > /export -alldirs -maproot=root > > At least I think I got this correct;-) rick Then it would seem that that it is not possible to do per-host filesystem access control from a single server. Is that true? The larger project I am working on intermittently is to see if I can work out a way to secure NFSv4 so that the net transport is encrypted (via ssh|spiped tunnel, perhaps) and the server has per host (per user would be better) filesystem access control, WITHOUT kerberos. Maybe ACLs? I have looked into ACLs but they don't look very promising for multiple platform support. Thanks, Russell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53D6ACD6.2030204>