nfsd spam in /var/log/messages

[Rick Macklem]

Russell L. Carter wrote:
> 
> 
> On 07/29/14 13:48, Rick Macklem wrote:
> > Russell L. Carter:
> 
> > 
> > The "directories within a file system" exports are only enforced by
> > the Mount protocol that NFSv3 uses to talk to mountd. (NFSv4 does
> > not
> > use the Mount protocol.) These are considered "administrative
> > controls",
> > which is a nice way of saying "they aren't actually enforced by the
> > kernel
> > because there is no easy way to do so, but will discourage trivial
> > attempts
> > to do NFSv3 mounts".
> >
> > Personally, I've never liked these "administrative controls", but
> > others
> > feel they are useful (introduced long long ago by SunOS) and
> > getting rid
> > of them would be considered a POLA violation. (This was one of the
> > reasons
> > why nfse was never adopted as a replacement for mountd.)
> > 
> > Various people have tried to clarify this in "man exports". Any
> > patches
> > that improve this will be appreciated. (It just seems to be a
> > difficult
> > thing to explain.)
> 
> I performed two more experiments with more than one "V4:" line in
> exports(5) (all zfs sharenfs=on filesystems):
> 
> V4: /export/usr
> V4: /export/library
> 
> and
> 
> V4: /export
> V4: /export2
> 
> but mountd complains e.g.: "different V4 dirpath /export/usr"
> (Note that the
> 
Well, I think this one is fairly clearly stated in the description
of the "V4:" line, where it says that it must be the same directory
path for all entries.

> So to tighten up just slightly the situation as you have described
> it:
> 
> "There can only be one NFSv4 root filesystem per server, and any
> client
>  host granted NFSv4 access to any subdirectory of that root exported
>  filesystem can also mount any other subdirectory of the root
>  exported
>  filesystem."
> 
> Why not just say this in exports(5)?  As I originally observed,
> another way of saying this is that for -sec=sys, no per-host (or
> per-network) access control for the subdirectories of the single
> NFSv4 exported filesystem is possible.
> 
Yeh, the one about "mounting any subdir" is hidden in the first
page of "man exports", where it mentions this and how "-alldirs" is
assumed for NFSv4. I think words similar to the above would make it
clearer. I'll post a exports(5) patch soon for review.

> I don't actually think very much is problematical about this
> situation, because w/o krb5 the protocol is insecure (IMHO).  I was
> just very curious what the current state of play was, *exactly*.
> 
> Anyway, thanks for your patience explaining this stuff to me.
> 
> Ok, I think that I can stop gnawing on this bone now...
> 
> Best,
> Russell
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to
> "freebsd-net-unsubscribe at freebsd.org"
>