Exporting the nfsv4 root

Rick Macklem rmacklem at uoguelph.ca
Fri May 22 19:21:36 UTC 2009


For nfsv4, the root directory of the tree that is exported via nfs
needs to be specified. (This is separate from exporting the various
file systems on the server, since there is only one tree for nfsv4.)

Solaris10 simply assumes "/" as the root (I don't think there is a
way to override that on Solaris, but I could be wrong). This is
convenient, since the mount paths then look the same for nfsv4 as
they are for nfsv2, 3.

Linux flags one exported file volume as the nfsv4 root, which limits
the export to that file system (and siblings, I think, although some
clients can't cross server mount point boundaries correctly).

What I currently have is an additional line in /etc/exports that looks
like:
 	V4: <path> [-sec=sys,krb5,krb5i,krb5p]
for example
 	V4: /		- works like Solaris10, without security flavor
 			  restrictions
 	V4: /export -sec=krb5i,krb5p	- makes "/export" the root and
 					  restricts all nfsv4 access to
 					  be done via krb5i or krb5p

Note that these security restrictions are applied to use of the nfsv4
root (which may not be on an exported volume). The export rules listed
in the rest of the /etc/exports file still apply. (When the nfsv4 root
is not in an exported file system, a very limited set of operations are
permitted, so that the mount of an exported volume can be done.)

Another variation of this that could be easily implemented is:

 	V4: <path> [-sec=sys,krb5,krb5i,krb5p] [hosts, subnets, ...]

and then allow this line to be used multiple times for different client
host(s). (ie. It would be like the other lines in /etc/exports except
for the "V4:" prepended on the line to indicate that it is the nfsv4 
root.) This would allow restrictions based on host ip#s to be applied.

For example:
 	V4: / grumpy.cis.uoguelph.ca
 	V4: / -sec=krb5i,krb5p	-network=131.104.48.0 -mask=255.255.255.0

which would allow grumpy.cis.uoguelph.ca to do nfsv4 mounts via AUTH_SYS
and allow the 131.104.48 subnet to do nfsv4 mounts via krb5i, p. The
rest of the IP space wouldn't be able to talk nfsv4 to the server.

What do you think about these two alternatives or can you think of
a better way to handle this?

Thanks in advance for any comments, rick
ps: Again, this only applies to access to the nfsv4 root (which typically
     only happens at mount time). After that, the normal /etc/export
     restrictions apply.



More information about the freebsd-fs mailing list