Re: CVS commit: src/tests/fs/common

To: David Laight <david%l8s.co.uk@localhost>
Subject: Re: CVS commit: src/tests/fs/common
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Mon, 3 Jan 2011 12:28:27 +0100

On Fri, Dec 31, 2010 at 07:45:26PM +0000, David Laight wrote:
> [...]
> >From what I remember of the NFS protocol, the following 'rules' applied:
> 1) If you export part of a filesystem, you export all of the filesystem.

that's probably trye

> 2) If you give anyone access, you give everyone access.
> 3) If you give anyone write access, you give everyone write access.

these 2 are not true for NetBSD I think

> This is all because it is the 'mount' protocol that verifies whether
> a client has access - so a client that disobeys the mount protocol, or
> fakes up valid nfs file handles can avoid the access checks.

This was true for the SunOS 4 nfs implementation (and maybe other
implementations derived from the same base), but for NetBSD, some checks are
done at the nfsd level: the source IP address from the NFS request is
checked against the export list, as well as the R/O status for a write
request (and other things such as the uid root is mapped to).
So if you consider IP address are not spoofables in your environnement,
IP-based access and write permissions are fine.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- Re: CVS commit: src/tests/fs/common
  - From: David Laight

Prev by Date: Re: CVS commit: src
Next by Date: /var/lock
Previous by Thread: Re: CVS commit: src/tests/fs/common
Next by Thread: Re: CVS commit: src
Indexes:

Home | Main Index | Thread Index | Old Index