On Wed, 14 Jan 2026 10:34:04 +0100 Amir Goldstein <[email protected]> wrote:
> On Wed, Jan 14, 2026 at 7:28 AM Christoph Hellwig <[email protected]> wrote: > > > > On Tue, Jan 13, 2026 at 12:06:42PM -0500, Jeff Layton wrote: > > > Fair point, but it's not that hard to conceive of a situation where > > > someone inadvertantly exports cgroupfs or some similar filesystem: > > > > Sure. But how is this worse than accidentally exporting private data > > or any other misconfiguration? > > > > My POV is that it is less about security (as your question implies), and > more about correctness. > > The special thing about NFS export, as opposed to, say, ksmbd, is > open by file handle, IOW, the export_operations. > > I perceive this as a very strange and undesired situation when NFS > file handles do not behave as persistent file handles. > > FUSE will gladly open a completely different object, sometimes > a different object type from an NFS client request after server restart. > > I suppose that the same could happen with tmpfs and probably some > other fs. ... You really shouldn't be allowed to nfs export a fs that doesn't have persistent file handles. Even file handles containing 'random' numbers can be problematic. The default used to be 'hard mounts' (not sure it is any more) which caused the client (not Linux - too long ago) to loop in kernel forever waiting for the server to recover the filesystem export. The only resolution on that system was to reboot the client. At least nfs can now use variable size file-ids. When I was fixing some code that exported a layered fs (I pretty much rewrote the fs at the same time) I did randomise the file-ids so they (hopefully) became invalid after a reboot (only after suffering some very corrupt filesystems!) I found nfs (over udp) had some interesting 'features': - If you export part of a fs you export all of it. (Especially since this predated the randomisation of the inode generation number.) - If you give anyone access you give everyone access. - If you give anyone write access you give everyone write access. The latter two because the 'mount' protocol wasn't really needed and the server didn't care where requests came from. David
