Technological advantages over Linux
Matthew Seaman
matthew at FreeBSD.org
Fri Jul 24 10:57:56 UTC 2020
On 24/07/2020 11:17, Aryeh Friedman wrote:
> On Thu, Jul 23, 2020 at 11:59 PM hw <hw at adminart.net> wrote:
>
>>
>> You can add that NFS in FreeBSD is a catastrophy. Bascially, you can only
>> export whole file systems with permissions applying to the whole file
>> system, and that practically makes NFS unusable. That means
>>
>
> Then please tell me server that it is not working according to your
> incorrect pre-conceived notions that you got from god knows where (almost
> certainly not actually trying them):
>
> aryeh at server% df -k
> Filesystem 1024-blocks Used Avail Capacity Mounted on
> zroot/ROOT/default 746429772 8341664 738088108 1% /
> devfs 1 1 0 100% /dev
> zroot/var/mail 738088368 260 738088108 0% /var/mail
> zroot 738088196 88 738088108 0% /zroot
> zroot/var/crash 738088196 88 738088108 0% /var/crash
> zroot/usr/home 743229452 5141344 738088108 1% /usr/home
> zroot/var/audit 738088196 88 738088108 0% /var/audit
> zroot/var/tmp 738088196 88 738088108 0% /var/tmp
> zroot/var/log 738089452 1344 738088108 0% /var/log
> zroot/tmp 738095972 7864 738088108 0% /tmp
> zroot/usr/src 739510796 1422688 738088108 0% /usr/src
> zroot/usr/ports 740825596 2737488 738088108 0% /usr/ports
> aryeh at server% cat /etc/exports
> /usr/local/com -maproot=root -network 192.168.11/24
> /usr/home -maproot=root -network 192.168.11/24
> aryeh at server% logout
> Connection to server.lan.fnwe.net closed.
> Desktop at neomarx% df -k
> Filesystem 1024-blocks Used Avail Capacity Mounted on
> /dev/ada1p2 964663364 689635324 197854972 78% /
> devfs 1 1 0 100% /dev
> server:/usr/home 743229392 5141336 738088056 1% /usr/home
> server:/usr/local/com 746429720 8341664 738088056 1%
> /usr/local/com
>
While it is certainly possible to NFS export and mount subdirectories of
a partition or ZFS, it is also something where there have been a number
of exploits allowing a client machine to break out of the sub-tree
allocated to it and see the contents of the rest of the partition.
I don't think that is a current vulnerability in FreeBSD, but best
practice IMHO is to put your exported directory trees into a different
partition or partitions (ZFSes in this case) than the root of your host
system -- particularly not in the same ZFS as /etc.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200724/a251407d/attachment.sig>
More information about the freebsd-questions
mailing list