i'd like to add two new questions, and update one. please review:
When my application uses memory-mapped NFS files, it breaks. Why?
http://nfs.sourceforge.net/index.cel.php#faq_a9
Why should I disable subtree checking on my NFS server exports?
http://nfs.sourceforge.net/index.cel.php#faq_c7
How come lock recovery doesn't work for me?
http://nfs.sourceforge.net/index.cel.php#faq_d7
- Chuck Lever
--
corporate: <cel at netapp dot com>
personal: <chucklever at bigfoot dot com>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Sun, Mar 13, 2005 at 11:37:26AM -0800, Lever, Charles wrote:
> Why should I disable subtree checking on my NFS server exports?
> http://nfs.sourceforge.net/index.cel.php#faq_c7
Kerberos doesn't solve exactly the problem that subtree checking
attempts to solve. My attempt at a concise way of putting this (maybe you
can think of a better way):
Use Kerberos and/or NFSv4 when they become available: it may
still be possible for a user of NFS over Kerberos to
access files outside of the exported subtree. However,
it should not be possible for them to fake their identity,
so they should not be able to read files that they do
not have permissions to.
--b.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
thanks for your comments, guys. i've simplified C7 a bit, see if it
helps:
http://nfs.sourceforge.net/index.cel.php#faq_c7
> -----Original Message-----
> From: J. Bruce Fields [mailto:[email protected]]=20
> Sent: Sunday, March 13, 2005 5:45 PM
> To: Trond Myklebust
> Cc: Lever, Charles; [email protected]
> Subject: Re: [NFS] NFS FAQ updates
>=20
>=20
> On Sun, Mar 13, 2005 at 05:10:11PM -0500, Trond Myklebust wrote:
> > The subtree_check option attempts to decide whether or not=20
> a file lies
> > within an exported subtree. If you turn it off, then people can
> > theoretically try to guess filehandles and gain access to the files
> > (assuming the access permissions on the file itself allow that).
>=20
> I wouldn't put too much emphasis on that "theoretically". The root
> directory on all my ext2/3 filesystems has inode number 2,=20
> and as far as
> I can tell guessing the rest of the rest of the filehandle just comes
> down to guessing the root device, which on my machines is always
> /dev/hdaN for some very small N. Add a few more for people with scsi
> and so on, and I bet you could cover most linux NFS servers=20
> with a dozen
> guesses. Now just lookup and readdir down to wherever you want. Am I
> missing anything here?
>=20
> If the administrator tightened down directory permissions a=20
> bit, you'll
> be forced to guess filehandles for objects deeper in the filesystem,
> which may be a little harder. I wouldn't count on it.
>=20
> --b.
>=20
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Mon, Mar 14, 2005 at 09:48:05AM -0800, Lever, Charles wrote:
> thanks for your comments, guys. i've simplified C7 a bit, see if it
> helps:
>
> http://nfs.sourceforge.net/index.cel.php#faq_c7
I found it a little difficult to understand what you meant by "files
sensitive to access by root" on my first reading:
"If you are still concerned about the minor security
implications described above, export only whole file systems if
the file system contains files sensitive to access by root (such
as setuid binaries)."
And I wouldn't downplay the security concern quite so much. How about
just this?:
"If you need to be certain that clients cannot access files
outside the exported part of a filesystem, set up the partitions
on your server so that you need only export whole filesystems."
A related complaint: the world "filesystem" has a lot of different
meanings. I'm not sure if I'd be able to tell from this answer exactly
which boundaries I could count on being respected by nfsd with subtree
checking turned off. I think "partition" would convey something more
concrete to most administrators. Would it be inaccurate to replace
"filesystem" by "partition" everywhere in this answer?
--b.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
> I found it a little difficult to understand what you meant by "files
> sensitive to access by root" on my first reading:
>=20
> "If you are still concerned about the minor security
> implications described above, export only whole file systems if
> the file system contains files sensitive to access by root (such
> as setuid binaries)."
>=20
> And I wouldn't downplay the security concern quite so much. How about
> just this?:
>=20
> "If you need to be certain that clients cannot access files
> outside the exported part of a filesystem, set up the partitions
> on your server so that you need only export whole filesystems."
ok.
> A related complaint: the world "filesystem" has a lot of different
> meanings. I'm not sure if I'd be able to tell from this=20
> answer exactly
> which boundaries I could count on being respected by nfsd with subtree
> checking turned off. I think "partition" would convey something more
> concrete to most administrators. Would it be inaccurate to replace
> "filesystem" by "partition" everywhere in this answer?
problem is, i got a lot of this text straight from the man page. :^(
i will see what can be done.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs