NFS-bug or not ?
Hi! When playing with NFS under FreeBSD, I've noticed something strange. You know it's impossible to export 2 directories of the same file system on the server to the 1 nfs-client: server# cat /etc/exports /usr/c client /usr/d client server# killall -HUP mountd server# showmount -e /usr/c Everyone There is no /usr/d exported. And we got errors in /var/log/messages: mountd[377]: can't change attributes for /usr/d mountd[377]: bad exports list line /usr/d But it's possible(!) to fool mountd when using the -network key. Let's try to export /usr/a as read-only system for the whole network, and /usr/b writable for one host, and not readable for other. NB! Our NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this example: server# cat /etc/exports /usr/a -ro -network 192.168.0.0 -mask 255.255.0.0 /usr/b -mapall=root 192.168.12.98 server# killall -HUP mountd server# showmount -e Exports list on localhost: /usr/b 192.168.12.98 /usr/a 192.168.0.0 As you see /usr/a and /usr/b successfully exported without errors. Now, from the client (192.168.12.98) we can mount both of them: client# mount server:/usr/b /mnt1 client# mount server:/usr/a /mnt client# mount server:/usr/b on /mnt1 (nfs) server:/usr/a on /mnt (nfs) When we mounted them on client. Let's make additional tests: client# echo something stupid /mnt/test.txt client# echo something stupid1 /mnt1/test1.txt client# cat /mnt/test.txt something stupid client# cat /mnt1/test1.txt something stupid1 Oh, my God! Both of the exported directories are writable. Best regards, Mikhail Zakharov ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NFS-bug or not ?
On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote: When playing with NFS under FreeBSD, I've noticed something strange. You know it's impossible to export 2 directories of the same file system on the server to the 1 nfs-client: server# cat /etc/exports /usr/c client /usr/d client server# killall -HUP mountd server# showmount -e /usr/c Everyone There is no /usr/d exported. And we got errors in /var/log/messages: mountd[377]: can't change attributes for /usr/d mountd[377]: bad exports list line /usr/d Please refer to _Managing NFS and NIS_, O'Reilly, p92: 2. You cannot export any subdirectory of an exported filesystem unless the subdirectory is on a different physical device. 3. You cannot export any parent directory of an exported filesystem unless the parent is on a different physical device. Basicly, NFS exports work on a per-filesystem basis, although one can use symbolic links to achieve results similar to what you are trying to do by exporting different subdirectories of the same filesystem. There's a more extensive writeup about this here: http://www.pkix.net/~chuck/doc/NFS/article.html But it's possible(!) to fool mountd when using the -network key. Let's try to export /usr/a as read-only system for the whole network, and /usr/b writable for one host, and not readable for other. NB! Our NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this example: [ ... ] When we mounted them on client. Let's make additional tests: client# echo something stupid /mnt/test.txt client# echo something stupid1 /mnt1/test1.txt client# cat /mnt/test.txt something stupid client# cat /mnt1/test1.txt something stupid1 Oh, my God! Both of the exported directories are writable. If you export one filesystem ro to an entire subnet, and then also export the same filesystem rw to a specific machine, the machine granted r/w permissions can write to that filesystem, yes. That's by design. If some other machine could write to the filesystem, or if you choose to export two different filesystems with different permissions, that would indicate a problem... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NFS-bug or not ?
On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote: When playing with NFS under FreeBSD, I've noticed something strange. You know it's impossible to export 2 directories of the same file system on the server to the 1 nfs-client: server# cat /etc/exports /usr/c client /usr/d client server# killall -HUP mountd server# showmount -e /usr/c Everyone There is no /usr/d exported. And we got errors in /var/log/messages: mountd[377]: can't change attributes for /usr/d mountd[377]: bad exports list line /usr/d Please refer to _Managing NFS and NIS_, O'Reilly, p92: 2. You cannot export any subdirectory of an exported filesystem unless the subdirectory is on a different physical device. 3. You cannot export any parent directory of an exported filesystem unless the parent is on a different physical device. Basicly, NFS exports work on a per-filesystem basis, although one can use symbolic links to achieve results similar to what you are trying to do by exporting different subdirectories of the same filesystem. There's a more extensive writeup about this here: http://www.pkix.net/~chuck/doc/NFS/article.html But it's possible(!) to fool mountd when using the -network key. Let's try to export /usr/a as read-only system for the whole network, and /usr/b writable for one host, and not readable for other. NB! Our NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this example: [ ... ] When we mounted them on client. Let's make additional tests: client# echo something stupid /mnt/test.txt client# echo something stupid1 /mnt1/test1.txt client# cat /mnt/test.txt something stupid client# cat /mnt1/test1.txt something stupid1 Oh, my God! Both of the exported directories are writable. If you export one filesystem ro to an entire subnet, and then also export the same filesystem rw to a specific machine, the machine granted r/w permissions can write to that filesystem, yes. That's by design. Ok, Per-filesystem basis explains everything. Thaks! If some other machine could write to the filesystem, or if you choose to export two different filesystems with different permissions, that would indicate a problem... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
