[1745] in bugtraq
Re: and now, back to your regularly scheduled discussion topic...
daemon@ATHENA.MIT.EDU (C. Harald Koch)
Tue May 9 15:17:14 1995
To: patrick@oes.amdahl.com (Patrick Horgan)
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
Cc: fc@all.net, mcn@EnGarde.com, rthomas@pamd.cig.mot.com, bugtraq@fc.net
In-Reply-To: patrick's message of "Mon, 08 May 1995 00:09:12 -0400".
<9505081909.AA21004@brittany.oes.amdahl.com>
Date: Tue, 9 May 1995 11:41:15 -0400
> > ObBug: i have recently discovered that it is possible to re-export an
> > imported filesystem under Linux. to illustrate:
> >
> > hostA --> exports /usr/share to -access=hostB
> > hostB --> a linux box. re-exports /usr/share to everyone
> > hostC --> not implicitly trusted by hostA, mounts /usr/share
> >
> > aside from any security concerns, this would certainly thrash your nfsd's.
> > does anyone have any experience with this? i have only recently discovered
> > this, and have not had time to peruse it in depth.
>
> Are you sure about this? Any system using nfs will allow this, but the
> directory they mount from hostB is the mount directory, not the /usr/share
> form hostA.
Most UNIX implementations have the NFS server in the kernel. With these
implementations, you usually export filesystems (as understood by the
kernel), and clients cannot cross filesystem boundaries when querying the
server.
the Linux NFSD is a user-space NFS server. It doesn't have magic hooks into
the kernel; it accesses the filesystem the same way ordinary users do. As a
result, it has *no idea* what a filesystem is; it exports "directory trees"
instead.
The advantage is that exporting an entire fileserver is trivial; the
disadvantage is that exporting an entire fileserver is trivial...
[ SGI, and some others, have an option that allows the kernel NFS
implementation to export directory hierarchies instead of filesystems, so
this is nothing new. That it's the default, and only, configuration on Linux
is new... ]
--
C. Harald Koch | University of Toronto Computing & Communications
harald@canet.ca | Network & Operations Services
+1 416 978 0992 (voice) | External Network Facilities Managment
+1 416 978 6620 (fax) | 4 Bancroft Ave., Rm 101, Toronto, ON M5S 1C1