Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp3010386ybh; Mon, 16 Mar 2020 14:03:18 -0700 (PDT) X-Google-Smtp-Source: ADFU+vt4J4Epbc64FIUZDSpqCJCPxd51OvLkk3KSOD3Pmulr6HaUOVWANt0Z+FHhIcLlThsRlR1Z X-Received: by 2002:aca:a882:: with SMTP id r124mr1108705oie.53.1584392598326; Mon, 16 Mar 2020 14:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584392598; cv=none; d=google.com; s=arc-20160816; b=j79RiAlnB1YefIzAqhllXEJFppC7kvrBwb6tp66dsNxgBuyCkd9BO89oTcuv6/xjI9 vinAdsd37w5p2UpuwpE6WDteGjWCEyaMjXV655R/thHJAggf1/+rFNg8yfOjDCJQFGSr qmDMIpRrzJlhKQfYH5FeNXIayPIJimsjOIDAFQW8YIF6KRxEb/XTWmqgaxGQ2aD1s8yM GZ7gXWBvDvbNA0AybIGzhqbWYeWX19vsc4MncilHYUwSnwACis+eV2KXkTjenxiNjcle cJltF0lYYwjmoLYsu2Fn4rI9SD8Wgaiil8zS3Zug4659X9eXX/tCKq2lQGAKrrSjUJH9 /LIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:from:user-agent:content-disposition :mime-version:message-id:subject:cc:to:date; bh=fzf4nJ30ATxnvLRxJ68P0OK29DZ9SL5j+zoupWWN56I=; b=cGMR1NqDkd/kVMh9gfPSDqwxMnWPMe6LUSQevdA8PVySa8SRIjlzAAudZKoDDtZDux Ppwx7YtEJkUzBj9Lj+ewH9nWHHR0usjIM6Xfj+t5TytyVLxXqTsqbjk4C4172/aD7xhe kRj4ZCHHlS67R4SBP8ArTE60IKjlO0ZfFl2/VyoEoxEbNIXNlQzdwFpWKeFwrF5wwwZr jxOctz9OV7D5n35Q5yNFQ8P8SIotih4jYKu0sbfYYPjRNBqhmWc3YnLkj3Kig7H2Qql9 JDo7CZGKTk834Gh89aYA5WJ0XhZ7yPje27v7qcdFLUedD9+HKQJVfs7fgBcUR2LT5Grd xzaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z16si618175otj.5.2020.03.16.14.02.35; Mon, 16 Mar 2020 14:03:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732632AbgCPVBr (ORCPT + 99 others); Mon, 16 Mar 2020 17:01:47 -0400 Received: from fieldses.org ([173.255.197.46]:54828 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732601AbgCPVBq (ORCPT ); Mon, 16 Mar 2020 17:01:46 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 8C2AC1C7B; Mon, 16 Mar 2020 17:01:46 -0400 (EDT) Date: Mon, 16 Mar 2020 17:01:46 -0400 To: steved@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH] exports man page: warn about subdirectory exports Message-ID: <20200316210146.GJ6938@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: "J. Bruce Fields" Subdirectory exports have a number of problems which have been poorly documented. Signed-off-by: J. Bruce Fields --- utils/exportfs/exports.man | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index e3a16f6b276a..1d1718494e83 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -494,6 +494,33 @@ export entry for .B /home/joe in the example section below, which maps all requests to uid 150 (which is supposedly that of user joe). + +.SS Subdirectory Exports + +Normally you should only export only the root of a filesystem. The NFS +server will also allow you to export a subdirectory of a filesystem, +however, this has drawbacks: + +First, it may be possible for a malicious user to access files on the +filesystem outside of the exported subdirectory, by guessing filehandles +for those other files. The only way to prevent this is by using the +.IR no_subtree_check +option, which can cause other problems. + +Second, export options may not be enforced in the way that you would +expect. For example, the +.IR security_label +option will not work on subdirectory exports, and if nested subdirectory +exports change the +.IR security_label +or +.IR sec= +options, NFSv4 clients will normally see only the options on the parent +export. Also, where security options differ, a malicious client may use +filehandle-guessing attacks to access the files from one subdirectory +using the options from another. + + .SS Extra Export Tables After reading .I /etc/exports -- 2.24.1