From nobody Tue Apr 23 13:52:16 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VP3TF0J7pz5HHxJ; Tue, 23 Apr 2024 13:52:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VP3TD6vWcz4mx7; Tue, 23 Apr 2024 13:52:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713880337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6Pzz9ps1/BzjifA5bayg7gyxfFfLxWJUfCn/f+mv4kE=; b=t6PZtbNYGhCkuPbFJejzBMWDoq2d7Xo1ppcDBUYIswDGAl//mrZ+uVFDEpkYjjBO46giAF h2Ohto7yDrBsp00PLWYvTzB8tSljdbmKc7PnDC2oKYGM121x2ka/4NZfz+eZJ6SSNn9q3B c/k3/aX+ODGgbC1wXbSp1wXgaOPQGaJeR9wRekkBpM6uBAAZst7ToD2dExVfEmsokpp0Cz ThPWlGkS+t41fmCLqmb7vF+zb35phzSaC+0M5GlbikZZn5GWWaM86FUhScNU2U85P2+iZo wvT6eESGz0RSkAkjMMblX+WHBK7GNYyQWX73yhmudjFIfYzcpzbUqTFvu63i4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713880337; a=rsa-sha256; cv=none; b=k7e8E/wGSU1q2wE2caXZr35ptCuA0J4xMk7lCKEdrkrG/xsOds785ER1TrvvJXvLjMnUDg hzGZhZ6UjuUodyL58BJaQnCGDSb4U5IRMs+738e+8ZM7BRpe2DlIN05P667Mauy2WV7aTV 2nfKzDPW/ncd8QI8RwCY/9BHOgdgNd3mMEd9nvaA4lMiAhnUKxk+Zc3WQ17xExM3BNUsEZ qbZDUfRmpq+2NoxOBM6IkET5tjHSdoRxHTn0UEZkfp1Pz4+EMttfIfaeuCCxOCgMnDs2Ug zqxM5lw8t10jDlNv7jVgpI0zO43kKuBU6XmKa0Whpg/+j2He6503cjON0xTdxg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713880337; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6Pzz9ps1/BzjifA5bayg7gyxfFfLxWJUfCn/f+mv4kE=; b=T8SXUbd3yXX3NlogSn9vfxsqPN80nhOvHSBPr0q8szEeTetCyT8aNI2PHQod+QlTDPnSjk MiPsTFPcuMylkYF4zG1RIiVpQYzojuwKscm2cQCYOI5mOWVLaIUo/tXya4Wja2QsbsWrnK b9f2M9rWYYNT7BhzueUhLXPcN3iMGgeJU2MKHrmOw0g23/gBhgqpFkxau7Fj3VffmriPYl nwvXMv6uH5v5KiuIqkdluDBpVWbk3qnExWNiA0QZ0nBIIDZ6w/EVOTOeJ7duCK1v0ht4KQ 7EUNHznMA4XoYt1ZWgBDqQ3OtS41K+h6pjj/shCBRvBh7iODxDoWxrKIgnC5Vw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VP3TD6WCrzZXD; Tue, 23 Apr 2024 13:52:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43NDqGuR081993; Tue, 23 Apr 2024 13:52:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43NDqGK7081990; Tue, 23 Apr 2024 13:52:16 GMT (envelope-from git) Date: Tue, 23 Apr 2024 13:52:16 GMT Message-Id: <202404231352.43NDqGK7081990@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 21d1f73f886d - stable/14 - exports.5: Clarify that exported dirs should be local mount points List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 21d1f73f886dff0dde314ead91f09526f6e23c08 Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=21d1f73f886dff0dde314ead91f09526f6e23c08 commit 21d1f73f886dff0dde314ead91f09526f6e23c08 Author: Mark Johnston AuthorDate: 2024-04-16 22:25:57 +0000 Commit: Mark Johnston CommitDate: 2024-04-23 13:51:24 +0000 exports.5: Clarify that exported dirs should be local mount points If not, then in general the entire filesystem containing the exported directory is accessiable. This may be surprising, so try to make it more clear. Reviewed by: rmacklem, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D44614 (cherry picked from commit 9d975e47d5a3638d4f575b2cf97e07bf22b53c7e) --- usr.sbin/mountd/exports.5 | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/usr.sbin/mountd/exports.5 b/usr.sbin/mountd/exports.5 index aa249c1a882b..6e5429886bd0 100644 --- a/usr.sbin/mountd/exports.5 +++ b/usr.sbin/mountd/exports.5 @@ -27,7 +27,7 @@ .\" .\" @(#)exports.5 8.3 (Berkeley) 3/29/95 .\" -.Dd April 7, 2024 +.Dd April 16, 2024 .Dt EXPORTS 5 .Os .Sh NAME @@ -57,8 +57,8 @@ file system or the NFSv4 tree root for one or more hosts. A long line may be split over several lines by ending all but the last line with a backslash .Pq Ql \e . -A host may be specified only once for each local file or the NFSv4 tree root on the -server and there may be only one default entry for each server +A host may be specified only once for each local file system or the NFSv4 tree +root on the server and there may be only one default entry for each server file system that applies to all other hosts. The latter exports the file system to the .Dq world @@ -68,7 +68,26 @@ be used only when the file system contains public information. In a mount entry, the first field(s) specify the directory path(s) within a server file system that can be mounted on by the corresponding client(s). -There are three forms of this specification. +Note well that exporting a directory on the server does not guarantee that only +files below the exported directory will be accessible. +This is true even in the absence of the +.Fl alldirs +flag. +To provide this guarantee, the exported directories must be local file system +mount points on the server. +For example, if one exports +.Pa /home , +and +.Pa /home +is not a file system mount point, then clients will be able to access arbitrary +files on the root file system. +As such, to avoid confusion with respect to what is exported, it may be prudent +to limit exported directories to server local file system mount points. +When exporting ZFS datasets with the +.Sy sharenfs +property, this is auomatically the case. +.Pp +There are three forms of the directory path specification. The first is to list all mount points as absolute directory paths separated by whitespace. This list of directory paths should be considered an @@ -599,6 +618,7 @@ afterwards, whereas NFSv3 rejects the mount request. .Xr strunvis 3 , .Xr nfsv4 4 , .Xr netgroup 5 , +.Xr zfsprops 7 , .Xr mountd 8 , .Xr nfsd 8 , .Xr rpc.tlsservd 8 ,