NetBSD Problem Report #58063
From www@netbsd.org Thu Mar 21 21:42:01 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id DBF441A9239
for <gnats-bugs@gnats.NetBSD.org>; Thu, 21 Mar 2024 21:42:01 +0000 (UTC)
Message-Id: <20240321214200.5493B1A923A@mollari.NetBSD.org>
Date: Thu, 21 Mar 2024 21:42:00 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
X-Send-Pr-Version: www-1.0
>Number: 58063
>Category: misc
>Synopsis: nfs documentation doesn't make it clear enough that it exports entire file systems, not directory subtrees
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: misc-bug-people
>State: open
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 21 21:45:00 +0000 2024
>Last-Modified: Thu Mar 28 15:45:01 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9, 8, ...
>Organization:
The NfsBSD Foundation
>Environment:
>Description:
nfs provides very limited security boundaries, and always has. The transport layer has no secrecy or authentication.
- Preventing writes by nfs clients requires that the _file system_ be mounted read only; it is not enough to mark it read-only through /etc/exports options: https://gnats.netbsd.org/3019
- Preventing access to files in one part of a file system requires that the _file system_ the files live on not be exported; it is not enough to export a different subtree of the file system -- exporting a subtree requires the `-alldirs' option which effectively exports the whole file system. (nullfs doesn't help here because it passes fhandles through verbatim.)
So if you have a single / partition that includes /bin, /etc, and /home, you probably shouldn't try to export /home unless you trust the nfs clients not to overwrite /bin -- you need a separate /home partition.
This is explained in the exports(5) man page, but it's not very clear:
In a mount entry, the first field(s) specify the directory path(s) within
a server filesystem that can be mounted on by the corresponding
client(s). There are two forms of this specification. The first is to
list all mount points as absolute directory paths separated by white-
space. The second is to specify the pathname of the root of the filesys-
tem followed by the -alldirs flag; this form allows the host(s) to mount
at any point within the filesystem, including regular files. Note that
the -alldirs option should not be used as a security measure to make
clients mount only those subdirectories that they should have access to.
A client can still access the whole filesystem via individual RPCs if it
wanted to, even if just one subdirectory has been mounted.
[...]
The export options are tied to the local mount points in the kernel and
must be non-contradictory for any exported subdirectory of the local
server mount point.
https://man.NetBSD.org/exports.5
>How-To-Repeat:
man exports
read https://www.netbsd.org/docs/guide/en/chap-net-services.html#chap-net-services-nfs
>Fix:
Yes, please!
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58063 CVS commit: src/usr.sbin/mountd
Date: Tue, 26 Mar 2024 23:32:43 +0000
Module Name: src
Committed By: riastradh
Date: Tue Mar 26 23:32:43 UTC 2024
Modified Files:
src/usr.sbin/mountd: exports.5 mountd.8
Log Message:
exports(5), mountd(8): First pass at clarifying export semantics.
The exports(5) man page is full of walls of turgid prose that should
be itemized lists with syntax templates, and I'm itching to rewrite
it, but let's get the security-relevant warnings out of the way
first.
PR misc/58063
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/usr.sbin/mountd/exports.5
cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/mountd/mountd.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58063 CVS commit: src/usr.sbin/mountd
Date: Wed, 27 Mar 2024 00:46:17 +0000
Module Name: src
Committed By: riastradh
Date: Wed Mar 27 00:46:17 UTC 2024
Modified Files:
src/usr.sbin/mountd: exports.5
Log Message:
exports(5): Revert warning about `-ro' on read/write file systems.
Looks like the nfs server does enforce that after all, in spite of
the rather oblique commentary in the BUGS section about export
options being tied to local mount point options with which they must
be noncontradictory.
And there's no reason in principle it shouldn't enforce this -- it
just need to block various file system _operations_, rather than the
subtree issue where the criteria for evaluating whether operations
are allowed on particular _file handles_ are too painful to
contemplate.
PR misc/58063
To generate a diff of this commit:
cvs rdiff -u -r1.33 -r1.34 src/usr.sbin/mountd/exports.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58063 CVS commit: src/usr.sbin/mountd
Date: Wed, 27 Mar 2024 01:43:26 +0000
Module Name: src
Committed By: riastradh
Date: Wed Mar 27 01:43:26 UTC 2024
Modified Files:
src/usr.sbin/mountd: exports.5
Log Message:
exports(5): Substantially rewrite for clarity.
Hope this is an improvement over the turgid paragraphs all about
first/second/third cases of everything.
PR misc/58063
To generate a diff of this commit:
cvs rdiff -u -r1.34 -r1.35 src/usr.sbin/mountd/exports.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58063 CVS commit: htdocs/docs/guide/en
Date: Thu, 28 Mar 2024 14:57:21 +0000
Module Name: htdocs
Committed By: riastradh
Date: Thu Mar 28 14:57:21 UTC 2024
Modified Files:
htdocs/docs/guide/en: chap-net-services.xml
Log Message:
docs/guide/en/chap-net-services: Clarify NFS security model.
Tidy up a little bit while here:
- fix some punctuation
- say `file system' consistently, not `filesystem'
- suggest `service mountd reload', not `kill -HUP $(cat ...)'
- clarify metasyntactic variables
PR misc/58063
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 htdocs/docs/guide/en/chap-net-services.xml
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58063 CVS commit: src/sbin/fsirand
Date: Thu, 28 Mar 2024 15:39:43 +0000
Module Name: src
Committed By: riastradh
Date: Thu Mar 28 15:39:42 UTC 2024
Modified Files:
src/sbin/fsirand: fsirand.8
Log Message:
fsirand(8): Fix security claims.
PR misc/58063
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sbin/fsirand/fsirand.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.