|
|
051f35 |
From ca1eb318807f5b81279c9ca97a62cccf7a5ea4f2 Mon Sep 17 00:00:00 2001
|
|
|
051f35 |
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
|
|
051f35 |
Date: Mon, 20 Apr 2020 10:49:46 +0200
|
|
|
051f35 |
Subject: [PATCH] exports.5: warn about subdirectory exports
|
|
|
051f35 |
|
|
|
051f35 |
---
|
|
|
051f35 |
nfs-utils/man5/exports.5 | 27 +++++++++++++++++++++++++++
|
|
|
051f35 |
1 file changed, 27 insertions(+)
|
|
|
051f35 |
|
|
|
051f35 |
diff --git a/nfs-utils/man5/exports.5 b/nfs-utils/man5/exports.5
|
|
|
051f35 |
index 4f95f3a..2ce46d9 100644
|
|
|
051f35 |
--- a/nfs-utils/man5/exports.5
|
|
|
051f35 |
+++ b/nfs-utils/man5/exports.5
|
|
|
051f35 |
@@ -492,6 +492,33 @@ export entry for
|
|
|
051f35 |
.B /home/joe
|
|
|
051f35 |
in the example section below, which maps all requests to uid 150 (which
|
|
|
051f35 |
is supposedly that of user joe).
|
|
|
051f35 |
+
|
|
|
051f35 |
+.SS Subdirectory Exports
|
|
|
051f35 |
+
|
|
|
051f35 |
+Normally you should only export only the root of a filesystem. The NFS
|
|
|
051f35 |
+server will also allow you to export a subdirectory of a filesystem,
|
|
|
051f35 |
+however, this has drawbacks:
|
|
|
051f35 |
+
|
|
|
051f35 |
+First, it may be possible for a malicious user to access files on the
|
|
|
051f35 |
+filesystem outside of the exported subdirectory, by guessing filehandles
|
|
|
051f35 |
+for those other files. The only way to prevent this is by using the
|
|
|
051f35 |
+.IR no_subtree_check
|
|
|
051f35 |
+option, which can cause other problems.
|
|
|
051f35 |
+
|
|
|
051f35 |
+Second, export options may not be enforced in the way that you would
|
|
|
051f35 |
+expect. For example, the
|
|
|
051f35 |
+.IR security_label
|
|
|
051f35 |
+option will not work on subdirectory exports, and if nested subdirectory
|
|
|
051f35 |
+exports change the
|
|
|
051f35 |
+.IR security_label
|
|
|
051f35 |
+or
|
|
|
051f35 |
+.IR sec=
|
|
|
051f35 |
+options, NFSv4 clients will normally see only the options on the parent
|
|
|
051f35 |
+export. Also, where security options differ, a malicious client may use
|
|
|
051f35 |
+filehandle-guessing attacks to access the files from one subdirectory
|
|
|
051f35 |
+using the options from another.
|
|
|
051f35 |
+
|
|
|
051f35 |
+
|
|
|
051f35 |
.SS Extra Export Tables
|
|
|
051f35 |
After reading
|
|
|
051f35 |
.I /etc/exports
|
|
|
051f35 |
--
|
|
|
051f35 |
2.26.0
|
|
|
051f35 |
|