Date: Mon, 28 Jul 2014 18:47:26 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: "Russell L. Carter" <rcarter@pinyon.org> Cc: freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages Message-ID: <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> In-Reply-To: <53D6ACD6.2030204@pinyon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Russell L. Carter wrote: > > > On 07/28/14 05:55, Rick Macklem wrote: > > > Assuming /export is one file system on the server, put all > > the exports in a single entry, something like: > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > /export/usr/src /export/usr/obj /export/usr/ports /export/packages > > /export/library -maproot=root > > > > OR you can just allow the clients to mount any location > > within the server file system using -alldirs like: > > V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > > /export -alldirs -maproot=root > > > > At least I think I got this correct;-) rick > > Then it would seem that that it is not possible to do per-host > filesystem access control from a single server. Is that true? > Yes, you can. Each line must be unique w.r.t. the tuple of <host, server-filesystem>. When there are multiple directories within a file system that needs to be mounted by a given host (or subnet), those must be specified in a single entry. > The larger project I am working on intermittently is to see if I can > work out a way to secure NFSv4 so that the net transport is encrypted > (via ssh|spiped tunnel, perhaps) and the server has per host (per > user > would be better) filesystem access control, WITHOUT kerberos. Maybe > ACLs? I have looked into ACLs but they don't look very promising for > multiple platform support. > On my "someday" list is trying to figure out how to allow a mount to work over IPsec, but I've never done it (and don't actually know if it is currently possible, although I suspect the answer is no). ACLs allow finer grained access control to a file, but still use whatever authentication is being used (auth_sys is just a uid# and list of gid#s vs Kerberos, which authenticates a kerberos principal). rick > Thanks, > Russell > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1817833305.4592918.1406587646770.JavaMail.root>