Date: Sat, 15 Dec 2001 00:31:50 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: obrien@freebsd.org Cc: Ian Dowse <iedowse@maths.tcd.ie>, current@freebsd.org Subject: Re: mountd(8) leaving filesystems exported Message-ID: <3C1B0A76.21F0D4EE@mindspring.com> References: <200112150034.aa63895@salmon.maths.tcd.ie> <3C1AEB07.5FE66AD7@mindspring.com> <20011215002501.B27029@dragon.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David O'Brien wrote: > On Fri, Dec 14, 2001 at 10:17:43PM -0800, Terry Lambert wrote: > > The problem is that the exported FSs exports are managed in the > > per FS mount code, and they really ought to be managed in higher > > level code (above the VFS layer, but still in the kernel). > > > > This is incidently what prevents us from having a SunOS-like > > And why we cannot export to parallel directories of a file system. > This limitation is actually a security concern as one ends up exporting > the parent and thus exposes more of the filesystem across the network. As a security thing, it cuts both ways; it really depends on your policy basis. In general, this is handled by adding an option to the mountd to only export whole FSs, to get around the cut the other direction (I think this is "-subdirs" on SunOS, but it has been over a year since I powered up my SPARC box). The other nice thing about handling it in the upper layers is that, doing what you want to do, you can put different directories of the same FS into different netgroups and/or export the main as read-only with a subdirectory as read-write. The one caveat here is that the server won't distinguish these, except on handle, so exclusion group protections on the directory containing the read/write mount point won't prevent read/write by other users, unless you cons up a handle (you should have to do this anyway, but it will require a little client work to get it going; in any case, such security is always defeatable with raw wire access). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C1B0A76.21F0D4EE>