Re: nfsv4 export and foot shooting

Reply: Kurt Hackenberg : "Re: nfsv4 export and foot shooting"
Reply: Steve O'Hara-Smith : "Re: nfsv4 export and foot shooting"
In reply to: mike tancsa : "nfsv4 export and foot shooting"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: mike tancsa <mike_at_sentex.net>
Date: Wed, 16 Mar 2022 15:19:25 UTC

OK, I *think* I see what might be going on and not sure if more 
documentation is needed in the man page to flag this or this is very 
much the way its supposed to work.

My UFS server in the example below, has just one file system mounted. So 
in this case,
/dev/gpt/rootfs   /       ufs rw      1       1

On another server, which is ZFS based, I can have an exports file that 
is "safe" as so
V4: /
/nano-images   -network 192.168.0.0/24
/usr/src   -ro -network 192.168.0.0/24


This is safe as each of those export lines are mount points on their own

So if I have an exports file consisting of

V4: /
/nano-images   -network 192.168.0.0/24
/usr/src   -ro -network 192.168.0.0/24

things work as expected from a client POV.  The client in 192.168.0.0/24 
can mount /usr src and nano-images, but NOT mount / and see data.
but if I add
/usr/obj -ro   -network 192.168.0.0/24
which is just a subdirectory of /, a client in /usr/obj is able to mount 
/ with nfsv4

My guess its supposed to work this way, but is there a way to prevent it 
from working that way ?

     ---Mike






On 3/16/2022 10:37 AM, mike tancsa wrote:
> I am trying to get my head around the nfsv4 way of thinking about the 
> exports format and cant quite see how the best way to do it is.  I 
> have a build server where I build world and packages daily. Ideally, 
> on a client machine, I would like to mount /usr/src and /usr/obj 
> read-only so I can install world from there.
>
> For nfsv4, the export line says I need to specify the root directory 
> first. But I dont want to export all of /
>
> Is there no way to just export /usr/src and /usr/obj and nothing above 
> it ?
>
> It seems if I just have
>
> V4:/
> /usr/src /usr/obj -ro -network 192.168.0.0/16
>
> 192.168.0.0/16 is able to mount / from the server which is not what I 
> want
>
> If I put V4:/usr it will work, but then 192.168.0.0/16 can still 
> access /usr/bin etc on the server.
>
> having an export file with JUST
>
> V4: /
>
> sort of makes sense in that no one can mount anything
>
> but progressing to
>
> V4:/
> /usr/src /usr/obj -ro -network 192.168.0.0/16
>
> means that 192.168.0.0/16 can mount /usr/src and /usr/obj, but also / 
> which seems counter intuitive.
>
> The server's rc.conf is just
>
>
> nfsv4_server_enable="YES"       # Enable support for NFSv4
> nfsv4_server_only="YES"
> nfs_server_enable="YES"
>
> This is 13.1-STABLE. The server is UFS