direct mount from NFS-mounted directories issue

direct mount from NFS-mounted directories issue

[Guillaume Rousse]

A direct mount which mount point is itself located on a NFS mount
does'nt work, with the following error message on launch:
Mar  6 14:05:21 stalingrad automount[23355]: do_mount_autofs_direct:
failed to create mount directory /home/members/rousse/test

From the mandriva user that reported this issue, it worked with previous
release. Full story at http://qa.mandriva.com/show_bug.cgi?id=28646

Re: direct mount from NFS-mounted directories issue

[Ian Kent]

On Tue, 2007-03-06 at 14:06 +0100, Guillaume Rousse wrote:
> A direct mount which mount point is itself located on a NFS mount
> does'nt work, with the following error message on launch:
> Mar  6 14:05:21 stalingrad automount[23355]: do_mount_autofs_direct:
> failed to create mount directory /home/members/rousse/test

Does the mount point directory already exist within the remote NFS
filesystem?

If not then create it.

This behavior was changed because the NFS client in recent kernels
return EACCESS before it returned EEXIST. It would have been fine to
just use stat(2) and then create the mount point directory but that
attracted much criticism regarding the security aspects of "root" owned
code to attempting to create directories on a remote NFS server. And so
this is the way it is now.

> >From the mandriva user that reported this issue, it worked with previous
> release. Full story at http://qa.mandriva.com/show_bug.cgi?id=28646

Indeed it probably did work a little while ago.
Sorry for the inconvenience.

Ian

Re: direct mount from NFS-mounted directories issue

[Guillaume Rousse]

Ian Kent wrote:
> This behavior was changed because the NFS client in recent kernels
> return EACCESS before it returned EEXIST. It would have been fine to
> just use stat(2) and then create the mount point directory but that
> attracted much criticism regarding the security aspects of "root" owned
> code to attempting to create directories on a remote NFS server. And so
> this is the way it is now.
I'm not a security expert, but it seems for me than allowing root owned
code to create anything on the server is rather a question of
configuring the export writability and trustability on root uid than
enforcing it on client side. Anyway, could the client behaviour be
configurable also, with current (secure) behaviour as default ?

Re: direct mount from NFS-mounted directories issue

[Ian Kent]

On Wed, 2007-03-07 at 10:27 +0100, Guillaume Rousse wrote:
> Ian Kent wrote:
> > This behavior was changed because the NFS client in recent kernels
> > return EACCESS before it returned EEXIST. It would have been fine to
> > just use stat(2) and then create the mount point directory but that
> > attracted much criticism regarding the security aspects of "root" owned
> > code to attempting to create directories on a remote NFS server. And so
> > this is the way it is now.
> I'm not a security expert, but it seems for me than allowing root owned
> code to create anything on the server is rather a question of
> configuring the export writability and trustability on root uid than
> enforcing it on client side. Anyway, could the client behaviour be
> configurable also, with current (secure) behaviour as default ?

Maybe but the criticism was that autofs was attempting to create remote
directories "at all". Is it such a big ask that if mounts within remote
filesystems have mount point directories already?

Ian