Technological advantages over Linux

Matthew Seaman matthew at FreeBSD.org
Fri Jul 24 10:57:56 UTC 2020 

On 24/07/2020 11:17, Aryeh Friedman wrote:
> On Thu, Jul 23, 2020 at 11:59 PM hw <hw at adminart.net> wrote:
> 
>>
>> You can add that NFS in FreeBSD is a catastrophy.  Bascially, you can only
>> export whole file systems with permissions applying to the whole file
>> system, and that practically makes NFS unusable.  That means
>>
> 
> Then please tell me server that it is not working according to your
> incorrect pre-conceived notions that you got from god knows where (almost
> certainly not actually trying them):
> 
> aryeh at server% df -k
> Filesystem         1024-blocks    Used     Avail Capacity  Mounted on
> zroot/ROOT/default   746429772 8341664 738088108     1%    /
> devfs                        1       1         0   100%    /dev
> zroot/var/mail       738088368     260 738088108     0%    /var/mail
> zroot                738088196      88 738088108     0%    /zroot
> zroot/var/crash      738088196      88 738088108     0%    /var/crash
> zroot/usr/home       743229452 5141344 738088108     1%    /usr/home
> zroot/var/audit      738088196      88 738088108     0%    /var/audit
> zroot/var/tmp        738088196      88 738088108     0%    /var/tmp
> zroot/var/log        738089452    1344 738088108     0%    /var/log
> zroot/tmp            738095972    7864 738088108     0%    /tmp
> zroot/usr/src        739510796 1422688 738088108     0%    /usr/src
> zroot/usr/ports      740825596 2737488 738088108     0%    /usr/ports
> aryeh at server% cat /etc/exports
> /usr/local/com -maproot=root -network 192.168.11/24
> /usr/home -maproot=root -network 192.168.11/24
> aryeh at server% logout
> Connection to server.lan.fnwe.net closed.
> Desktop at neomarx% df -k
> Filesystem            1024-blocks      Used     Avail Capacity  Mounted on
> /dev/ada1p2             964663364 689635324 197854972    78%    /
> devfs                           1         1         0   100%    /dev
> server:/usr/home        743229392   5141336 738088056     1%    /usr/home
> server:/usr/local/com   746429720   8341664 738088056     1%
>  /usr/local/com
> 

While it is certainly possible to NFS export and mount subdirectories of
a partition or ZFS, it is also something where there have been a number
of exploits allowing a client machine to break out of the sub-tree
allocated to it and see the contents of the rest of the partition.

I don't think that is a current vulnerability in FreeBSD, but best
practice IMHO is to put your exported directory trees into a different
partition or partitions (ZFSes in this case) than the root of your host
system -- particularly not in the same ZFS as /etc.

	Cheers,

	Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200724/a251407d/attachment.sig>

More information about the freebsd-questions mailing list