On Fri, Dec 31, 2010 at 07:45:26PM +0000, David Laight wrote: > [...] > >From what I remember of the NFS protocol, the following 'rules' applied: > 1) If you export part of a filesystem, you export all of the filesystem.
that's probably trye > 2) If you give anyone access, you give everyone access. > 3) If you give anyone write access, you give everyone write access. these 2 are not true for NetBSD I think > This is all because it is the 'mount' protocol that verifies whether > a client has access - so a client that disobeys the mount protocol, or > fakes up valid nfs file handles can avoid the access checks. This was true for the SunOS 4 nfs implementation (and maybe other implementations derived from the same base), but for NetBSD, some checks are done at the nfsd level: the source IP address from the NFS request is checked against the export list, as well as the R/O status for a write request (and other things such as the uid root is mapped to). So if you consider IP address are not spoofables in your environnement, IP-based access and write permissions are fine. -- Manuel Bouyer <bou...@antioche.eu.org> NetBSD: 26 ans d'experience feront toujours la difference --