Technological advantages over Linux
Aryeh Friedman
aryeh.friedman at gmail.com
Fri Jul 24 11:10:29 UTC 2020
On Fri, Jul 24, 2020 at 6:58 AM Matthew Seaman <matthew at freebsd.org> wrote:
> On 24/07/2020 11:17, Aryeh Friedman wrote:
> > On Thu, Jul 23, 2020 at 11:59 PM hw <hw at adminart.net> wrote:
> >
> >>
> >> You can add that NFS in FreeBSD is a catastrophy. Bascially, you can
> only
> >> export whole file systems with permissions applying to the whole file
> >> system, and that practically makes NFS unusable. That means
> >>
> >
> > Then please tell me server that it is not working according to your
> > incorrect pre-conceived notions that you got from god knows where (almost
> > certainly not actually trying them):
> >
> > aryeh at server% df -k
> > Filesystem 1024-blocks Used Avail Capacity Mounted on
> > zroot/ROOT/default 746429772 8341664 738088108 1% /
> > devfs 1 1 0 100% /dev
> > zroot/var/mail 738088368 260 738088108 0% /var/mail
> > zroot 738088196 88 738088108 0% /zroot
> > zroot/var/crash 738088196 88 738088108 0% /var/crash
> > zroot/usr/home 743229452 5141344 738088108 1% /usr/home
> > zroot/var/audit 738088196 88 738088108 0% /var/audit
> > zroot/var/tmp 738088196 88 738088108 0% /var/tmp
> > zroot/var/log 738089452 1344 738088108 0% /var/log
> > zroot/tmp 738095972 7864 738088108 0% /tmp
> > zroot/usr/src 739510796 1422688 738088108 0% /usr/src
> > zroot/usr/ports 740825596 2737488 738088108 0% /usr/ports
> > aryeh at server% cat /etc/exports
> > /usr/local/com -maproot=root -network 192.168.11/24
> > /usr/home -maproot=root -network 192.168.11/24
> > aryeh at server% logout
> > Connection to server.lan.fnwe.net closed.
> > Desktop at neomarx% df -k
> > Filesystem 1024-blocks Used Avail Capacity Mounted
> on
> > /dev/ada1p2 964663364 689635324 197854972 78% /
> > devfs 1 1 0 100% /dev
> > server:/usr/home 743229392 5141336 738088056 1% /usr/home
> > server:/usr/local/com 746429720 8341664 738088056 1%
> > /usr/local/com
> >
>
> While it is certainly possible to NFS export and mount subdirectories of
> a partition or ZFS, it is also something where there have been a number
> of exploits allowing a client machine to break out of the sub-tree
> allocated to it and see the contents of the rest of the partition.
>
> I don't think that is a current vulnerability in FreeBSD, but best
> practice IMHO is to put your exported directory trees into a different
> partition or partitions (ZFSes in this case) than the root of your host
> system -- particularly not in the same ZFS as /etc.
>
On an isolated (double NAT'ed and firewalled) LAN that only trusted users
use (my significant other is also a programmer and thus I trust them
completely) it shouldn't matter all that much (besides for the truly
paranoid). Also devel/aegis requires /usr/local/com to be on the
available universally to any NFS clients that use aegis (and despite being
the maintainer I have not found a "easy" way to allow this to be
configurable) and it has to be in the same logical file system as the
aegis executables (/usr/local/bin).
--
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
More information about the freebsd-questions
mailing list