Re: [NFS] re-exporting NFS-mounted dir over NFS

["Martin Schuster (IFKL IT OS DSM CD)" <Martin.Schuster1-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org>]

Thanks for your thoughts about this.

Peter Staubach wrote:
> Is the real goal to be able to export the files using krb5
> authentication or the use of NFSv4?
> 
Both, I fear.

> If the former, then why not just export the files from the
> NetApp using Kerberos?
> 
> If the latter, then I suspect that it won't provide much, if
> any, benefit.  It would still be limited to the NFSv3 semantics
> of the file system.
>
The current NFS4-support in NetApps OnTap is afaik quite new,
so our filer administrator doesn't want to enable it in the
near future; he prefers waiting until the issues that are likely
to come up are solved before allowing it on a productive machine.

But mounting directly from the filer using NFS3+Kerberos would
allow the following attack vector, as the clients are in an
unsecure network (i.e. could get root access on their machines):
 User mounts an directory using his Kerberos-credentials
 User gets root, then changes w/o password to another user
 User can now read the files of that other user, as the NFS3-server
     doesn't check the permissions

(at least, that's how I understood the difference between NFS3
 and NFS4 -- please correct me if I'm wrong)

So my question still is: Is re-exporting an NFS-mount technically
impossible, or does it just need some coding to get it working?

Thanks in advance,
-- 
Infineon Technologies IT-Services GmbH   Martin.Schuster1-d0qZbvYSIPpWk0Htik3J/w@public.gmane.org
Lakeside B05, 9020 Klagenfurt, Austria   Martin Schuster
         FB: LG Klagenfurt, FN 246787y   +43 5 1777 3517