From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Lever, Charles" <Charles.Lever@netapp.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>, nfs@lists.sourceforge.net
Subject: Re: NFS FAQ updates
Date: Mon, 14 Mar 2005 13:09:30 -0500 [thread overview]
Message-ID: <20050314180930.GD27626@fieldses.org> (raw)
In-Reply-To: <482A3FA0050D21419C269D13989C611308539875@lavender-fe.eng.netapp.com>
On Mon, Mar 14, 2005 at 09:48:05AM -0800, Lever, Charles wrote:
> thanks for your comments, guys. i've simplified C7 a bit, see if it
> helps:
>
> http://nfs.sourceforge.net/index.cel.php#faq_c7
I found it a little difficult to understand what you meant by "files
sensitive to access by root" on my first reading:
"If you are still concerned about the minor security
implications described above, export only whole file systems if
the file system contains files sensitive to access by root (such
as setuid binaries)."
And I wouldn't downplay the security concern quite so much. How about
just this?:
"If you need to be certain that clients cannot access files
outside the exported part of a filesystem, set up the partitions
on your server so that you need only export whole filesystems."
A related complaint: the world "filesystem" has a lot of different
meanings. I'm not sure if I'd be able to tell from this answer exactly
which boundaries I could count on being respected by nfsd with subtree
checking turned off. I think "partition" would convey something more
concrete to most administrators. Would it be inaccurate to replace
"filesystem" by "partition" everywhere in this answer?
--b.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
next prev parent reply other threads:[~2005-03-14 18:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-14 17:48 NFS FAQ updates Lever, Charles
2005-03-14 18:09 ` J. Bruce Fields [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-03-14 18:19 Lever, Charles
2005-03-14 18:25 ` J. Bruce Fields
2005-03-13 21:41 Lever, Charles
2005-03-13 22:10 ` Trond Myklebust
2005-03-13 22:45 ` J. Bruce Fields
2005-03-13 22:19 ` J. Bruce Fields
2005-03-13 19:37 Lever, Charles
2005-03-13 20:05 ` J. Bruce Fields
2004-09-20 18:29 Lever, Charles
2004-08-31 14:11 Lever, Charles
2004-08-31 14:22 ` Quentin Fennessy
2004-08-31 12:36 Lever, Charles
2004-09-01 0:24 ` Greg Banks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050314180930.GD27626@fieldses.org \
--to=bfields@fieldses.org \
--cc=Charles.Lever@netapp.com \
--cc=nfs@lists.sourceforge.net \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.