Technological advantages over Linux

Aryeh Friedman aryeh.friedman at gmail.com
Fri Jul 24 11:10:29 UTC 2020 

On Fri, Jul 24, 2020 at 6:58 AM Matthew Seaman <matthew at freebsd.org> wrote:

> On 24/07/2020 11:17, Aryeh Friedman wrote:
> > On Thu, Jul 23, 2020 at 11:59 PM hw <hw at adminart.net> wrote:
> >
> >>
> >> You can add that NFS in FreeBSD is a catastrophy.  Bascially, you can
> only
> >> export whole file systems with permissions applying to the whole file
> >> system, and that practically makes NFS unusable.  That means
> >>
> >
> > Then please tell me server that it is not working according to your
> > incorrect pre-conceived notions that you got from god knows where (almost
> > certainly not actually trying them):
> >
> > aryeh at server% df -k
> > Filesystem         1024-blocks    Used     Avail Capacity  Mounted on
> > zroot/ROOT/default   746429772 8341664 738088108     1%    /
> > devfs                        1       1         0   100%    /dev
> > zroot/var/mail       738088368     260 738088108     0%    /var/mail
> > zroot                738088196      88 738088108     0%    /zroot
> > zroot/var/crash      738088196      88 738088108     0%    /var/crash
> > zroot/usr/home       743229452 5141344 738088108     1%    /usr/home
> > zroot/var/audit      738088196      88 738088108     0%    /var/audit
> > zroot/var/tmp        738088196      88 738088108     0%    /var/tmp
> > zroot/var/log        738089452    1344 738088108     0%    /var/log
> > zroot/tmp            738095972    7864 738088108     0%    /tmp
> > zroot/usr/src        739510796 1422688 738088108     0%    /usr/src
> > zroot/usr/ports      740825596 2737488 738088108     0%    /usr/ports
> > aryeh at server% cat /etc/exports
> > /usr/local/com -maproot=root -network 192.168.11/24
> > /usr/home -maproot=root -network 192.168.11/24
> > aryeh at server% logout
> > Connection to server.lan.fnwe.net closed.
> > Desktop at neomarx% df -k
> > Filesystem            1024-blocks      Used     Avail Capacity  Mounted
> on
> > /dev/ada1p2             964663364 689635324 197854972    78%    /
> > devfs                           1         1         0   100%    /dev
> > server:/usr/home        743229392   5141336 738088056     1%    /usr/home
> > server:/usr/local/com   746429720   8341664 738088056     1%
> >  /usr/local/com
> >
>
> While it is certainly possible to NFS export and mount subdirectories of
> a partition or ZFS, it is also something where there have been a number
> of exploits allowing a client machine to break out of the sub-tree
> allocated to it and see the contents of the rest of the partition.
>
> I don't think that is a current vulnerability in FreeBSD, but best
> practice IMHO is to put your exported directory trees into a different
> partition or partitions (ZFSes in this case) than the root of your host
> system -- particularly not in the same ZFS as /etc.
>

On an isolated (double NAT'ed and firewalled) LAN that only trusted users
use (my significant other is also a programmer and thus I trust them
completely) it shouldn't matter all that much (besides for the truly
paranoid).   Also devel/aegis requires /usr/local/com to be on the
available universally to any NFS clients that use aegis (and despite being
the maintainer I have not found a "easy" way to allow this to be
configurable)  and it has to be in the same logical file system as the
aegis executables (/usr/local/bin).

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

More information about the freebsd-questions mailing list