Re: RFC: fixing PR#282995

Reply: Sulev-Madis Silber : "Re: RFC: fixing PR#282995"
In reply to: rb_a_gid.co.uk: "Re: RFC: fixing PR#282995"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Thu, 28 Nov 2024 19:55:07 UTC
On Thu, Nov 28, 2024 at 7:49 AM <rb@gid.co.uk> wrote:
>
>
>
> > On 28 Nov 2024, at 15:04, Rick Macklem <rick.macklem@gmail.com> wrote:
> >
> > On Thu, Nov 28, 2024 at 4:36 AM Bob Bishop <rb@gid.co.uk> wrote:
> >>
> >> Hi,
> >>
> >>> On 27 Nov 2024, at 21:56, Rick Macklem <rick.macklem@gmail.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> PR#282995 reports that the "-alldirs" export option is broken,
> >>> since it allows an export where the directory path is not a mount point.
> >>>
> >>> I'll admit I did not recall this semantic for -alldirs and I now see it is only
> >>> documented in the "Examples" section of exports(5).
> >>>
> >>> Looking at the code, it appears this was broken between releng1 and
> >>> releng2.0 (about 30years ago) when the call to mount(2) in mountd.c
> >>> was changed from using the path in the exports line to using f_mntonname.
> >>> (The check for "it is a mount point" depended on mount(2) failing because
> >>> the path was not a mount point.)
> >>>
> >>> I do believe the semantic is a useful one,
> >>
> >> Why?
> > Suppose /cdrom is where a CD is mounted sometimes.
> > If this is exported when the CD is not mounted, it will export
> > the "/" file system.
> > --> This export is probably not what the sysadmin wanted.
> >      mountd does now generate a warning about this, which
> >      was how the exporter spotted the bug.
> > For example (the line in /etc/exports):
> > /cdrom -alldirs
> > will export "/" to "the world" if /cdrom is not mounted.
>
> I will agree that is undesirable.
>
> > The example in the exports(5) man page claims the export
> > line will fail, so "/" would not be exported. This seems like
> > a better semantic to me.
>
> It’s certainly safer but will cause client mounts to fail as well. It would be nicer to export an empty directory.
A couple of comments here (mostly for everyone else reading this).
1 - From a security point of view, exports apply to server file
systems, not directories.
     (They are stored in the kernel on file system mount points.)
2 - The "administrative controls" which allow mounts for only certain
directories within a server file
      system is not a significant security tool. They can be easily
circumvented and only work for
      NFSv3 and not NFSv4, since they only affect the NFSv3 sideband
Mount protocol.
3 - The whole purpose of exports(5) is to make undesirable NFS client
mounts fail.

Personally, I wish these "administrative controls" did not exist. They
were created way back in
the mid-1980s so that BSD (CSRG) could be "Sun compatible". When I got
involved in NFS
on FreeBSD I tried to convince the "collective" to get rid of them,
but there was pushback,
due to that being a POLA violation.
--> As such, they still exist. They still cause confusion w.r.t. what
is exported and I, personally,
     recommend they be avoided when a exports(5) file is created in
order to minimize the
     risk of exporting some file system that is undesirable from a
security perspective.

rick
ps: Thanks for the comments. I am proceeding with (C).

>
> > rick
> >
> >>
> >>> although making it that way
> >>> after 30years might be construed as a POLA violation?
> >>>
> >>> So, what do others think I should do with this?
> >>> (A) - Patch mountd to enforce the "must be a mount point when -alldirs
> >>>       is specified, plus update exports(5) to state this semantic clearly.
> >>> or
> >>> (B) - Patch mountd so that it enforces "must be a mount point when -alldirs
> >>>       is specified, but only enabled via a new mountd command line option.
> >>>       --> ie. Leave the default as not enforced, but allow enforcement based
> >>>                 on a new mountd option.
> >>>            - Document this in both exports(5) and mountd(8).
> >>> or
> >>> ???
> >>
> >> (C) - Patch mountd so that it enforces "must be a mount point when -alldirs
> >>       is specified, but provide a new mountd command line option to restore the old behaviour.
> >>       --> ie. Default as enforced, but allow an override based  on a new mountd option.
> >>            - Document this in both exports(5) and mountd(8).
> >>
> >> I think that (A) is too POLA-unfriendly.
> >>
> >>> Thanks in advance for your comments, rick
> >>>
> >>
> >> --
> >> Bob Bishop
> >> rb@gid.co.uk
> >>
> >>
> >>
> >>
> >
>
> --
> Bob Bishop
> rb@gid.co.uk
>
>
>
>