On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote:
When playing with NFS under FreeBSD, I've noticed something strange.
You know it's impossible to export 2 directories of the same file system on the server to the 1 nfs-client:
server# cat /etc/exports
/usr/c client
/usr/d client
server# killall -HUP mountd
server# showmount -e
/usr/c Everyone

There is no /usr/d exported. And we got errors in /var/log/messages:
mountd[377]: can't change attributes for /usr/d
mountd[377]: bad exports list line /usr/d

Please refer to _Managing NFS and NIS_, O'Reilly, p92:

"2. You cannot export any subdirectory of an exported filesystem unless the
subdirectory is on a different physical device.

3. You cannot export any parent directory of an exported filesystem unless
the parent is on a different physical device."

Basicly, NFS exports work on a per-filesystem basis, although one can use symbolic links to achieve results similar to what you are trying to do by exporting different subdirectories of the same filesystem.

There's a more extensive writeup about this here:


But it's possible(!) to fool mountd when using the -network key.
Let's try to export /usr/a as read-only system for the whole network, and /usr/b writable for one host, and not readable for other. NB! Our NFS-client ( is from network. See this example:
[ ... ]
When we mounted them on client. Let's make additional tests:
client# echo "something stupid" > /mnt/test.txt
client# echo "something stupid1" > /mnt1/test1.txt
client# cat /mnt/test.txt
something stupid
client# cat /mnt1/test1.txt
something stupid1

Oh, my God! Both of the exported directories are writable.

If you export one filesystem ro to an entire subnet, and then also export the same filesystem rw to a specific machine, the machine granted r/w permissions can write to that filesystem, yes. That's by design.

If some other machine could write to the filesystem, or if you choose to export two different filesystems with different permissions, that would indicate a problem...


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to