From: "J. Bruce Fields" <bfields@fieldses.org>
To: Sascha Frey <sfrey-15KJMqYlBKyzX87ganJRvOIeGoz/g4FR@public.gmane.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: exporting subdirectory of shared filesystem to different hosts
Date: Mon, 15 Jun 2009 18:49:21 -0400 [thread overview]
Message-ID: <20090615224921.GA17917@fieldses.org> (raw)
In-Reply-To: <20090614175325.GA10466-15KJMqYlBKyzX87ganJRvOIeGoz/g4FR@public.gmane.org>
On Sun, Jun 14, 2009 at 07:53:25PM +0200, Sascha Frey wrote:
> Hi,
>
> we have some Linux NFS servers distributing our users' homes to our
> clients.
>
> We are using NIS netgroups to restrict access to certain NFS shares.
> Our /etc/exports file looks like this:
> /var/lib/nfs/v4root \
> *(ro,fsid=0,insecure,no_subtree_check)
> /export/homes \
> -rw,async,insecure,no_subtree_check @netgroupA
> /var/lib/nfs/v4root/export/homes \
> -rw,async,insecure,nohide,no_subtree_check @netgroupA
>
> (/export/homes is bind-mounted to /var/lib/nfs/v4root/export/homes to
> have the same path for NFSv3 and v4 exports.)
>
> Now we need to export some of the home directories to an additional
> group of hosts. So we added two lines for each one of these 'special
> cases' to the exports file:
>
> /export/homes/usera \
> -rw,async,insecure,no_subtree_check @netgroupA @netgroupB
> /var/lib/nfs/v4root/export/homes/usera \
> -rw,async,insecure,nohide,no_subtree_check @netgroupA @netgroupB
>
> Our Problem:
> Hosts, which are member of netgroupB, are unable to mount
> server:/export/homes/usera, if using NFSv4:
> client:~# mount -t nfs4 server:/export/homes/usera /mnt
> mount.nfs4: mounting server:/export/homes/usera failed, reason given by
> server:
> No such file or directory
>
> NFSv3 mount works (-t nfs)...
>
> We can't export the whole homes-tree to netgroupB. Adding entries in
> /etc/exports isn't a good idea either (we have more than 2000 home
> directories).
>
>
> Is there any chance to get this working without setting up export
> entries for each single home directory?
Exports really only work well on a whole-filesystem basis. The server
is not good at distinguishing between different subtrees of the same
filesystem.
Note also: in the above situation, a malicious user in netgroupB can
probably access anything in /export/homes. You can fix that by changing
no_subtree_check to subtree_check, but that may cause unexpected stale
filehandle errors on renaming files (because it causes the filehandle of
a file to change depending on which directory it is contained in).
--b.
prev parent reply other threads:[~2009-06-15 22:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-14 17:53 exporting subdirectory of shared filesystem to different hosts Sascha Frey
[not found] ` <20090614175325.GA10466-15KJMqYlBKyzX87ganJRvOIeGoz/g4FR@public.gmane.org>
2009-06-15 22:49 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090615224921.GA17917@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=sfrey-15KJMqYlBKyzX87ganJRvOIeGoz/g4FR@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox