Date: Mon, 02 Aug 1999 00:21:43 -0400 From: "David E. Cross" <crossd@cs.rpi.edu> To: Jason Young <doogie@anet-stl.com> Cc: Kevin Day <toasty@dragondata.com>, Matthew Dillon <dillon@apollo.backplane.com>, Martin Blapp <blapp@attic.ch>, freebsd-current@FreeBSD.ORG, crossd@cs.rpi.edu Subject: Re: mountpoint locking with fbsd-nfs Message-ID: <199908020421.AAA65570@cs.rpi.edu> In-Reply-To: Message from Jason Young <doogie@anet-stl.com> of "Sun, 01 Aug 1999 23:01:01 CDT." <Pine.BSF.3.96.990801225104.6535C-100000@earth.anet-stl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> IIRC, mount permissions (i.e., what IP addresses, root UID mangling, etc) > are set per filesystem. Given a filesystem structure like this: > > > df > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/da0s1a 127023 27151 89711 23% / > /dev/ccd0c 8321099 2391764 5263648 31% /home > /dev/da0s1e 2032623 732806 1137208 39% /usr > /dev/da1s1f 2032623 816051 1053963 44% /var > /dev/ccd1c 4001742 1571210 2110393 43% /var/mail > procfs 4 4 0 100% /proc > > You can only set IP addresses to be exported to and other options only > once for the /usr filesystem, once for the /var filesystem, etc. > > This doesn't mean if I export /home/doogie to 192.168.40.1 that that IP > address can mount /home. Mount still controls the mountpoints allowed. > > If you want to export multiple mountpoints of the same filesystem, you > need to specify them all on one line with one options set. Like this: > > /home/doogie /home/joebob /home/luser -maproot=0:0 testbox.accessus.net > > Jason Young > accessUS Chief Network Engineer > > PS: I just realized the manpage disagrees with this; it has multiple > exports lines for the same filesystem. I believe the manpage is wrong, at > least in that it doesn't reflect reality. Comments from anybody? If you have /home as a filesystem and you export /home/userj to the machine 'foo'. 'foo', in reality has access to all of home, it is the reality of how NFS "works". In reflecting this, it kinda makes sense to place the access controls on the filesystem itself, since that is the only thing that is realistically determinable to the nfs "daemon" <-- term used lightly. I believe that it is OK to have the following: /usr -ro badhost /usr goodhost (as long as the permissions are not contradictory it is ok)... In fact we use that alot here. We run into problems here because we use netgroups and will have a single machine in multiple netgroups... ala: /share -ro freebsd3 /share trusted where trusted and freebsd3 share a couple of memebers, and the mountd chokes trying to resolve the conflict. -- David Cross | email: crossd@cs.rpi.edu Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~crossd Rensselaer Polytechnic Institute, | Ph: 518.276.2860 Department of Computer Science | Fax: 518.276.4033 I speak only for myself. | WinNT:Linux::Linux:FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908020421.AAA65570>