Date: Tue, 29 Jul 2014 16:48:20 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: "Russell L. Carter" <rcarter@pinyon.org> Cc: freebsd-net@freebsd.org Subject: Re: nfsd spam in /var/log/messages Message-ID: <1188535120.4997158.1406666900373.JavaMail.root@uoguelph.ca> In-Reply-To: <53D8056A.1010908@pinyon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Russell L. Carter: > > > On 07/29/14 11:21, John-Mark Gurney wrote: > > Rick Macklem wrote this message on Mon, Jul 28, 2014 at 18:47 > > -0400: > >> Russell L. Carter wrote: > >>> On 07/28/14 05:55, Rick Macklem wrote: > >>> > >>>> Assuming /export is one file system on the server, put all > >>>> the exports in a single entry, something like: > >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > >>>> /export/usr/src /export/usr/obj /export/usr/ports > >>>> /export/packages > >>>> /export/library -maproot=root > >>>> > >>>> OR you can just allow the clients to mount any location > >>>> within the server file system using -alldirs like: > >>>> V4: /export -sec=sys -network 10.0.10 -mask 255.255.255.0 > >>>> /export -alldirs -maproot=root > >>>> > >>>> At least I think I got this correct;-) rick > >>> > >>> Then it would seem that that it is not possible to do per-host > >>> filesystem access control from a single server. Is that true? > >>> > >> Yes, you can. Each line must be unique w.r.t. the tuple of > >> <host, server-filesystem>. > > This seems to work, and I don't have spam in my log: > > V4: /export -sec=sys > /export/library -maproot=root linuxen > /export -maproot=root fbsden > > However, 'linuxen' and 'fbsden' are defined in netgroup(5): > > linuxen (bruno,,n1.pinyon.org) > fbsden (psf,,n1.pinyon.org) (knuth,,n1.pinyon.org) > > but the linux host can mount /export/usr/* just fine :-(. > Well, the host checks are enforced in the kernel on a per filesystem basis only. This implies that any location within a file system can be mounted via NFSv4, if any location within the file system has been exported to the host. (I'm assuming that /export/usr is a subtree of the /export file system.) The "directories within a file system" exports are only enforced by the Mount protocol that NFSv3 uses to talk to mountd. (NFSv4 does not use the Mount protocol.) These are considered "administrative controls", which is a nice way of saying "they aren't actually enforced by the kernel because there is no easy way to do so, but will discourage trivial attempts to do NFSv3 mounts". Personally, I've never liked these "administrative controls", but others feel they are useful (introduced long long ago by SunOS) and getting rid of them would be considered a POLA violation. (This was one of the reasons why nfse was never adopted as a replacement for mountd.) Various people have tried to clarify this in "man exports". Any patches that improve this will be appreciated. (It just seems to be a difficult thing to explain.) rick > >> When there are multiple directories within a file system that > >> needs to be mounted by a given host (or subnet), those must be > >> specified in a single entry. > > > > You know.. mountd really should grow the smarts to handle this, and > > warn if the various settings for the fs don't match between > > lines... > > > > i.e. union the lines as long as they match... > > > > Could be a good project for someone(tm)... > > > > vfs_export and friends are impressively densely written... > > Cheers, > Russell > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1188535120.4997158.1406666900373.JavaMail.root>