Date: Fri, 22 May 2009 14:53:37 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: freebsd-fs@freebsd.org Subject: Exporting the nfsv4 root Message-ID: <Pine.GSO.4.63.0905221436320.9127@muncher.cs.uoguelph.ca>
next in thread | raw e-mail | index | archive | help
For nfsv4, the root directory of the tree that is exported via nfs needs to be specified. (This is separate from exporting the various file systems on the server, since there is only one tree for nfsv4.) Solaris10 simply assumes "/" as the root (I don't think there is a way to override that on Solaris, but I could be wrong). This is convenient, since the mount paths then look the same for nfsv4 as they are for nfsv2, 3. Linux flags one exported file volume as the nfsv4 root, which limits the export to that file system (and siblings, I think, although some clients can't cross server mount point boundaries correctly). What I currently have is an additional line in /etc/exports that looks like: V4: <path> [-sec=sys,krb5,krb5i,krb5p] for example V4: / - works like Solaris10, without security flavor restrictions V4: /export -sec=krb5i,krb5p - makes "/export" the root and restricts all nfsv4 access to be done via krb5i or krb5p Note that these security restrictions are applied to use of the nfsv4 root (which may not be on an exported volume). The export rules listed in the rest of the /etc/exports file still apply. (When the nfsv4 root is not in an exported file system, a very limited set of operations are permitted, so that the mount of an exported volume can be done.) Another variation of this that could be easily implemented is: V4: <path> [-sec=sys,krb5,krb5i,krb5p] [hosts, subnets, ...] and then allow this line to be used multiple times for different client host(s). (ie. It would be like the other lines in /etc/exports except for the "V4:" prepended on the line to indicate that it is the nfsv4 root.) This would allow restrictions based on host ip#s to be applied. For example: V4: / grumpy.cis.uoguelph.ca V4: / -sec=krb5i,krb5p -network=131.104.48.0 -mask=255.255.255.0 which would allow grumpy.cis.uoguelph.ca to do nfsv4 mounts via AUTH_SYS and allow the 131.104.48 subnet to do nfsv4 mounts via krb5i, p. The rest of the IP space wouldn't be able to talk nfsv4 to the server. What do you think about these two alternatives or can you think of a better way to handle this? Thanks in advance for any comments, rick ps: Again, this only applies to access to the nfsv4 root (which typically only happens at mount time). After that, the normal /etc/export restrictions apply.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.0905221436320.9127>