Date: Tue, 29 Jul 2014 13:34:50 -0700 From: "Russell L. Carter" <rcarter@pinyon.org> To: freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages Message-ID: <53D8056A.1010908@pinyon.org> In-Reply-To: <20140729182134.GA43962@funkthat.com> References: <53D6ACD6.2030204@pinyon.org> <1817833305.4592918.1406587646770.JavaMail.root@uoguelph.ca> <20140729182134.GA43962@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/29/14 11:21, John-Mark Gurney wrote: > Rick Macklem wrote this message on Mon, Jul 28, 2014 at 18:47 -0400: >> Russell L. Carter wrote: >>> On 07/28/14 05:55, Rick Macklem wrote: >>> >>>> Assuming /export is one file system on the server, put all >>>> the exports in a single entry, something like: >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 >>>> /export/usr/src /export/usr/obj /export/usr/ports /export/packages >>>> /export/library -maproot=root >>>> >>>> OR you can just allow the clients to mount any location >>>> within the server file system using -alldirs like: >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 >>>> /export -alldirs -maproot=root >>>> >>>> At least I think I got this correct;-) rick >>> >>> Then it would seem that that it is not possible to do per-host >>> filesystem access control from a single server. Is that true? >>> >> Yes, you can. Each line must be unique w.r.t. the tuple of >> <host, server-filesystem>. This seems to work, and I don't have spam in my log: V4: /export -sec=sys /export/library -maproot=root linuxen /export -maproot=root fbsden However, 'linuxen' and 'fbsden' are defined in netgroup(5): linuxen (bruno,,n1.pinyon.org) fbsden (psf,,n1.pinyon.org) (knuth,,n1.pinyon.org) but the linux host can mount /export/usr/* just fine :-(. >> When there are multiple directories within a file system that >> needs to be mounted by a given host (or subnet), those must be >> specified in a single entry. > > You know.. mountd really should grow the smarts to handle this, and > warn if the various settings for the fs don't match between lines... > > i.e. union the lines as long as they match... > > Could be a good project for someone(tm)... > vfs_export and friends are impressively densely written... Cheers, Russell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53D8056A.1010908>