NFS-bug or not ?

Charles Swiger cswiger at mac.com
Wed May 12 08:56:53 PDT 2004 

On May 12, 2004, at 3:31 AM, Mikhail E. Zakharov wrote:
> When playing with NFS under FreeBSD, I've noticed something strange.
> You know it's impossible to export 2 directories of the same file 
> system on the server to the 1 nfs-client:
> server# cat /etc/exports
> /usr/c client
> /usr/d client
> server# killall -HUP mountd
> server# showmount -e
> /usr/c                             Everyone
>
> There is no /usr/d exported. And we got errors in /var/log/messages:
> mountd[377]: can't change attributes for /usr/d
> mountd[377]: bad exports list line /usr/d

Please refer to _Managing NFS and NIS_, O'Reilly, p92:

"2. You cannot export any subdirectory of an exported filesystem unless 
the
  subdirectory is on a different physical device.

  3. You cannot export any parent directory of an exported filesystem 
unless
  the parent is on a different physical device."

Basicly, NFS exports work on a per-filesystem basis, although one can 
use symbolic links to achieve results similar to what you are trying to 
do by exporting different subdirectories of the same filesystem.

There's a more extensive writeup about this here:

http://www.pkix.net/~chuck/doc/NFS/article.html

> But it's possible(!) to fool mountd when using the -network key.
> Let's try to export /usr/a as read-only system for the whole network, 
> and /usr/b writable for one host, and not readable for other. NB! Our 
> NFS-client (192.168.12.98) is from 192.168.0.0/16 network. See this 
> example:
[ ... ]
> When we mounted them on client. Let's make additional tests:
> client# echo "something stupid" > /mnt/test.txt
> client# echo "something stupid1" > /mnt1/test1.txt
> client# cat /mnt/test.txt
> something stupid
> client# cat /mnt1/test1.txt
> something stupid1
>
> Oh, my God! Both of the exported directories are writable.

If you export one filesystem ro to an entire subnet, and then also 
export the same filesystem rw to a specific machine, the machine 
granted r/w permissions can write to that filesystem, yes.  That's by 
design.

If some other machine could write to the filesystem, or if you choose 
to export two different filesystems with different permissions, that 
would indicate a problem...

-- 
-Chuck

More information about the freebsd-questions mailing list