All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Frank Filz" <ffilzlnx@mindspring.com>
To: "'Cedric Blancher'" <cedric.blancher@gmail.com>,
	"'Trond Myklebust'" <trondmy@hammerspace.com>
Cc: <jlayton@kernel.org>, <dan.f.shelton@gmail.com>, <tom@talpey.com>,
	<linux-nfs@vger.kernel.org>
Subject: RE: Public NFSv4 handle?
Date: Thu, 15 Feb 2024 09:25:56 -0800	[thread overview]
Message-ID: <013f01da6034$0995a960$1cc0fc20$@mindspring.com> (raw)
In-Reply-To: <CALXu0UfuKEa8u-dz9aG8K--ULBe2yaZoYbEoR3Tyr2NG6a1_Rw@mail.gmail.com>

> From: Cedric Blancher [mailto:cedric.blancher@gmail.com]
> On Tue, 13 Feb 2024 at 21:59, Trond Myklebust <trondmy@hammerspace.com>
> wrote:
> >
> > On Tue, 2024-02-13 at 21:28 +0100, Dan Shelton wrote:
> > > [You don't often get email from dan.f.shelton@gmail.com. Learn why
> > > this is important at https://aka.ms/LearnAboutSenderIdentification ]
> > >
> > > On Fri, 9 Feb 2024 at 16:32, Jeff Layton <jlayton@kernel.org> wrote:
> > > >
> > > > On Thu, 2024-02-08 at 21:37 -0500, Tom Talpey wrote:
> > > > > On 2/8/2024 7:19 PM, Dan Shelton wrote:
> > > > > > ?
> > > > > >
> > > > > > On Thu, 25 Jan 2024 at 02:48, Dan Shelton
> > > > > > <dan.f.shelton@gmail.com> wrote:
> > > > > > >
> > > > > > > Hello!
> > > > > > >
> > > > > > > Do the Linux NFSv4 server and client support the NFS public
> > > > > > > handle?
> > > > >
> > > > > Are you referring the the old WebNFS stuff? That was a v2/v3
> > > > > thing, and, I believe, only ever supported by Solaris.
> > > > >
> > > >
> > > > One more try! I think my MUA was having issues this morning.
> > > >
> > > > NFSv4.1 supports the PUTPUBFH op:
> > > >
> > > > https://www.rfc-editor.org/rfc/rfc8881.html#name-operation-23-putp
> > > > ubfh-set-p
> > > >
> > > > ...but this op is only for backward compatibility. The Linux
> > > > server returns the rootfh (as it SHOULD).
> > >
> > > No, I do not consider this "backward compatibility". The "public"
> > > option is also intended for public servers, like package mirrors
> > > (e.g.
> > > Debian), to have a better solution than http or ftp.
> > >
> >
> > PUTPUBFH offers no extra security features over PUTROOTFH. It is
> > literally just a way to offer a second point of entry into the same
> > exported filesystem.

Do any clients even provide a mechanism to mount using PUTPUBFH?

> Right. It doesn't expose your "private" filesystem hierarchy.

There are ways to avoid exposing the private filesystem hierarchy. I have used bind mounts in the past and some servers may allow specifying the pseudo path for exports to hide the filesystem hierarchy.

> > A more modern approach would be to create 2 containers on the same
> > host: one that shares the full namespace to be exported, and one that
> > shares only the bits of the namespace that are considered "public".
> > That approach requires no extra patches or customisation to existing
> > kernels.
> 
> Oh for god's sake. Please don't call "containers" a "modern approach".
> It's just a sad waste of resources, aside from the other shitload of problems they
> cause.
> Also in real life, we frog-eating backwards savages here in Europe do not have
> so many public IPv4 addresses available to put everything into containers, and
> changing everything to IPv6-only networks will take another 2 or 3 decades
> here.

There are ways to do it without containers, though a container gives an additional level of security.

> Cedric Blancher <cedric.blancher@gmail.com>
> [https://plus.google.com/u/0/+CedricBlancher/]
> Institute Pasteur

Frank Filz



  reply	other threads:[~2024-02-15 17:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-25  1:48 Public NFSv4 handle? Dan Shelton
2024-02-09  0:19 ` Dan Shelton
2024-02-09  2:37   ` Tom Talpey
2024-02-09 11:09     ` Jeff Layton
2024-02-09 14:52     ` Jeff Layton
2024-02-09 15:32     ` Jeff Layton
2024-02-13 20:28       ` Dan Shelton
2024-02-13 20:42         ` Jeff Layton
2024-02-13 20:58         ` Trond Myklebust
2024-02-14  6:12           ` Cedric Blancher
2024-02-15 17:25             ` Frank Filz [this message]
2024-02-13 21:16         ` Chuck Lever III

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='013f01da6034$0995a960$1cc0fc20$@mindspring.com' \
    --to=ffilzlnx@mindspring.com \
    --cc=cedric.blancher@gmail.com \
    --cc=dan.f.shelton@gmail.com \
    --cc=jlayton@kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=tom@talpey.com \
    --cc=trondmy@hammerspace.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.