exports man page: warn about subdirectory exports
diff mbox series

Message ID 20200316210146.GJ6938@fieldses.org
State New
Headers show
Series
  • exports man page: warn about subdirectory exports
Related show

Commit Message

Bruce Fields March 16, 2020, 9:01 p.m. UTC
From: "J. Bruce Fields" <bfields@redhat.com>

Subdirectory exports have a number of problems which have been poorly
documented.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/exportfs/exports.man | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

Comments

Steve Dickson March 27, 2020, 7:15 p.m. UTC | #1
On 3/16/20 5:01 PM, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> Subdirectory exports have a number of problems which have been poorly
> documented.
> 
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Committed... (tag: nfs-utils-2-4-4-rc2)

steved.
> ---
>  utils/exportfs/exports.man | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
> index e3a16f6b276a..1d1718494e83 100644
> --- a/utils/exportfs/exports.man
> +++ b/utils/exportfs/exports.man
> @@ -494,6 +494,33 @@ export entry for
>  .B /home/joe
>  in the example section below, which maps all requests to uid 150 (which
>  is supposedly that of user joe).
> +
> +.SS Subdirectory Exports
> +
> +Normally you should only export only the root of a filesystem.  The NFS
> +server will also allow you to export a subdirectory of a filesystem,
> +however, this has drawbacks:
> +
> +First, it may be possible for a malicious user to access files on the
> +filesystem outside of the exported subdirectory, by guessing filehandles
> +for those other files.  The only way to prevent this is by using the
> +.IR no_subtree_check
> +option, which can cause other problems.
> +
> +Second, export options may not be enforced in the way that you would
> +expect.  For example, the
> +.IR security_label
> +option will not work on subdirectory exports, and if nested subdirectory
> +exports change the
> +.IR security_label
> +or
> +.IR sec=
> +options, NFSv4 clients will normally see only the options on the parent
> +export.  Also, where security options differ, a malicious client may use
> +filehandle-guessing attacks to access the files from one subdirectory
> +using the options from another.
> +
> +
>  .SS Extra Export Tables
>  After reading 
>  .I /etc/exports 
>

Patch
diff mbox series

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index e3a16f6b276a..1d1718494e83 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -494,6 +494,33 @@  export entry for
 .B /home/joe
 in the example section below, which maps all requests to uid 150 (which
 is supposedly that of user joe).
+
+.SS Subdirectory Exports
+
+Normally you should only export only the root of a filesystem.  The NFS
+server will also allow you to export a subdirectory of a filesystem,
+however, this has drawbacks:
+
+First, it may be possible for a malicious user to access files on the
+filesystem outside of the exported subdirectory, by guessing filehandles
+for those other files.  The only way to prevent this is by using the
+.IR no_subtree_check
+option, which can cause other problems.
+
+Second, export options may not be enforced in the way that you would
+expect.  For example, the
+.IR security_label
+option will not work on subdirectory exports, and if nested subdirectory
+exports change the
+.IR security_label
+or
+.IR sec=
+options, NFSv4 clients will normally see only the options on the parent
+export.  Also, where security options differ, a malicious client may use
+filehandle-guessing attacks to access the files from one subdirectory
+using the options from another.
+
+
 .SS Extra Export Tables
 After reading 
 .I /etc/exports