[PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
@ 2014-09-23  7:07 Jan Chaloupka
  2014-09-23 20:41 ` Trond Myklebust
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Chaloupka @ 2014-09-23  7:07 UTC (permalink / raw)
  To: linux-nfs; +Cc: jchaloup, steved

mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.

https://bugzilla.redhat.com/show_bug.cgi?id=1116283

This patch updates the man page

Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
---
 utils/mountd/mountd.man |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
index a8828ae..1aae75b 100644
--- a/utils/mountd/mountd.man
+++ b/utils/mountd/mountd.man
@@ -217,6 +217,8 @@ listeners using the
 .B tcp_wrapper
 library or
 .BR iptables (8).
+Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
+They do not work with NFS version 4.
 .PP
 Note that the
 .B tcp_wrapper


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
@ 2014-09-23  7:14 Jan Chaloupka
  0 siblings, 0 replies; 6+ messages in thread
From: Jan Chaloupka @ 2014-09-23  7:14 UTC (permalink / raw)
  To: linux-nfs; +Cc: jchaloup, steved

mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.

https://bugzilla.redhat.com/show_bug.cgi?id=1116283

This patch updates the man page

Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
---
 utils/mountd/mountd.man |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
index a8828ae..1aae75b 100644
--- a/utils/mountd/mountd.man
+++ b/utils/mountd/mountd.man
@@ -217,6 +217,8 @@ listeners using the
 .B tcp_wrapper
 library or
 .BR iptables (8).
+Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
+They do not work with NFS version 4.
 .PP
 Note that the
 .B tcp_wrapper


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
  2014-09-23  7:07 [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3 Jan Chaloupka
@ 2014-09-23 20:41 ` Trond Myklebust
  2014-09-24 15:21   ` Steve Dickson
  0 siblings, 1 reply; 6+ messages in thread
From: Trond Myklebust @ 2014-09-23 20:41 UTC (permalink / raw)
  To: Jan Chaloupka; +Cc: Linux NFS Mailing List, Steve Dickson

On Tue, Sep 23, 2014 at 3:07 AM, Jan Chaloupka <jchaloup@redhat.com> wrote:
> mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1116283
>
> This patch updates the man page
>
> Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
> ---
>  utils/mountd/mountd.man |    2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
> index a8828ae..1aae75b 100644
> --- a/utils/mountd/mountd.man
> +++ b/utils/mountd/mountd.man
> @@ -217,6 +217,8 @@ listeners using the
>  .B tcp_wrapper
>  library or
>  .BR iptables (8).
> +Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
> +They do not work with NFS version 4.
>  .PP
>  Note that the
>  .B tcp_wrapper
>

Is there any point to compiling mountd with the tcp wrappers in this
day and age? tcp wrappers isn't enforced by knfsd, so as the above
manpage change indicates it really is only blocking NFSv2/v3 _mount_
attempts.

If you can use NFSv4, or sniff the NFSv2/v3 traffic or even just guess
NFSv2/v3 filehandles, then tcp wrappers can be 100% circumvented.

-- 
Trond Myklebust

Linux NFS client maintainer, PrimaryData

trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
  2014-09-23 20:41 ` Trond Myklebust
@ 2014-09-24 15:21   ` Steve Dickson
  2014-09-24 17:04     ` J. Bruce Fields
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Dickson @ 2014-09-24 15:21 UTC (permalink / raw)
  To: Trond Myklebust, Jan Chaloupka; +Cc: Linux NFS Mailing List



On 09/23/2014 04:41 PM, Trond Myklebust wrote:
> On Tue, Sep 23, 2014 at 3:07 AM, Jan Chaloupka <jchaloup@redhat.com> wrote:
>> mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1116283
>>
>> This patch updates the man page
>>
>> Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
>> ---
>>  utils/mountd/mountd.man |    2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
>> index a8828ae..1aae75b 100644
>> --- a/utils/mountd/mountd.man
>> +++ b/utils/mountd/mountd.man
>> @@ -217,6 +217,8 @@ listeners using the
>>  .B tcp_wrapper
>>  library or
>>  .BR iptables (8).
>> +Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
>> +They do not work with NFS version 4.
>>  .PP
>>  Note that the
>>  .B tcp_wrapper
>>
> 
> Is there any point to compiling mountd with the tcp wrappers in this
> day and age? 
>From an upstream point of view... Sure... But I don't think
we can remove them from the man pages...


> tcp wrappers isn't enforced by knfsd, so as the above
> manpage change indicates it really is only blocking NFSv2/v3 _mount_
> attempts.
> 
> If you can use NFSv4, or sniff the NFSv2/v3 traffic or even just guess
> NFSv2/v3 filehandles, then tcp wrappers can be 100% circumvented.
> 
You would be surprised on the amount of people that still use
them... 

steved.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
  2014-09-24 15:21   ` Steve Dickson
@ 2014-09-24 17:04     ` J. Bruce Fields
  2014-09-24 17:18       ` Trond Myklebust
  0 siblings, 1 reply; 6+ messages in thread
From: J. Bruce Fields @ 2014-09-24 17:04 UTC (permalink / raw)
  To: Steve Dickson; +Cc: Trond Myklebust, Jan Chaloupka, Linux NFS Mailing List

On Wed, Sep 24, 2014 at 11:21:50AM -0400, Steve Dickson wrote:
> 
> 
> On 09/23/2014 04:41 PM, Trond Myklebust wrote:
> > On Tue, Sep 23, 2014 at 3:07 AM, Jan Chaloupka <jchaloup@redhat.com> wrote:
> >> mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1116283
> >>
> >> This patch updates the man page
> >>
> >> Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
> >> ---
> >>  utils/mountd/mountd.man |    2 ++
> >>  1 file changed, 2 insertions(+)
> >>
> >> diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
> >> index a8828ae..1aae75b 100644
> >> --- a/utils/mountd/mountd.man
> >> +++ b/utils/mountd/mountd.man
> >> @@ -217,6 +217,8 @@ listeners using the
> >>  .B tcp_wrapper
> >>  library or
> >>  .BR iptables (8).
> >> +Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
> >> +They do not work with NFS version 4.
> >>  .PP
> >>  Note that the
> >>  .B tcp_wrapper
> >>
> > 
> > Is there any point to compiling mountd with the tcp wrappers in this
> > day and age? 
> >From an upstream point of view... Sure... But I don't think
> we can remove them from the man pages...
> 
> 
> > tcp wrappers isn't enforced by knfsd, so as the above
> > manpage change indicates it really is only blocking NFSv2/v3 _mount_
> > attempts.
> > 
> > If you can use NFSv4, or sniff the NFSv2/v3 traffic or even just guess
> > NFSv2/v3 filehandles, then tcp wrappers can be 100% circumvented.
> > 
> You would be surprised on the amount of people that still use
> them... 

I'd also be surprised if any of them really understand how little they
do in this case.

--b.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3
  2014-09-24 17:04     ` J. Bruce Fields
@ 2014-09-24 17:18       ` Trond Myklebust
  0 siblings, 0 replies; 6+ messages in thread
From: Trond Myklebust @ 2014-09-24 17:18 UTC (permalink / raw)
  To: J. Bruce Fields; +Cc: Steve Dickson, Jan Chaloupka, Linux NFS Mailing List

On Wed, Sep 24, 2014 at 1:04 PM, J. Bruce Fields <bfields@fieldses.org> wrote:
> On Wed, Sep 24, 2014 at 11:21:50AM -0400, Steve Dickson wrote:
>>
>>
>> On 09/23/2014 04:41 PM, Trond Myklebust wrote:
>> > On Tue, Sep 23, 2014 at 3:07 AM, Jan Chaloupka <jchaloup@redhat.com> wrote:
>> >> mountd tcp wrappers support only NFSv2 and NFSv3, not NFSv4.
>> >>
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=1116283
>> >>
>> >> This patch updates the man page
>> >>
>> >> Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
>> >> ---
>> >>  utils/mountd/mountd.man |    2 ++
>> >>  1 file changed, 2 insertions(+)
>> >>
>> >> diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
>> >> index a8828ae..1aae75b 100644
>> >> --- a/utils/mountd/mountd.man
>> >> +++ b/utils/mountd/mountd.man
>> >> @@ -217,6 +217,8 @@ listeners using the
>> >>  .B tcp_wrapper
>> >>  library or
>> >>  .BR iptables (8).
>> >> +Tcp wrappers are only in effect with NFS version 2 and 3 mounts.
>> >> +They do not work with NFS version 4.
>> >>  .PP
>> >>  Note that the
>> >>  .B tcp_wrapper
>> >>
>> >
>> > Is there any point to compiling mountd with the tcp wrappers in this
>> > day and age?
>> >From an upstream point of view... Sure... But I don't think
>> we can remove them from the man pages...
>>
>>
>> > tcp wrappers isn't enforced by knfsd, so as the above
>> > manpage change indicates it really is only blocking NFSv2/v3 _mount_
>> > attempts.
>> >
>> > If you can use NFSv4, or sniff the NFSv2/v3 traffic or even just guess
>> > NFSv2/v3 filehandles, then tcp wrappers can be 100% circumvented.
>> >
>> You would be surprised on the amount of people that still use
>> them...
>
> I'd also be surprised if any of them really understand how little they
> do in this case.
>

Hence my point about whether or not it is a good idea to pretend that
we have the support.

If people are configuring tcp wrappers for rpc.mount because they
don't know any better, then it should be removed. If, however, there
are still genuine use cases where the tcp wrappers provide genuine
value (as opposed to security theatre) then it would be nice to
document _that_ in the manpage instead of providing a non-exhaustive
list of alternatives where they don't help.

-- 
Trond Myklebust

Linux NFS client maintainer, PrimaryData

trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-09-24 17:18 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-23  7:07 [PATCH] mountd.man: mountd tcp wrappers support only NFS v2/v3 Jan Chaloupka
2014-09-23 20:41 ` Trond Myklebust
2014-09-24 15:21   ` Steve Dickson
2014-09-24 17:04     ` J. Bruce Fields
2014-09-24 17:18       ` Trond Myklebust
  -- strict thread matches above, loose matches on Subject: below --
2014-09-23  7:14 Jan Chaloupka

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.