exporting subdirectory of shared filesystem to different hosts

exporting subdirectory of shared filesystem to different hosts

[Sascha Frey]

Hi,

we have some Linux NFS servers distributing our users' homes to our
clients.

We are using NIS netgroups to restrict access to certain NFS shares.
Our /etc/exports file looks like this:
/var/lib/nfs/v4root \
        *(ro,fsid=0,insecure,no_subtree_check)
/export/homes \
        -rw,async,insecure,no_subtree_check @netgroupA
/var/lib/nfs/v4root/export/homes \
        -rw,async,insecure,nohide,no_subtree_check @netgroupA

(/export/homes is bind-mounted to /var/lib/nfs/v4root/export/homes to
have the same path for NFSv3 and v4 exports.)

Now we need to export some of the home directories to an additional
group of hosts. So we added two lines for each one of these 'special
cases' to the exports file:

/export/homes/usera \
        -rw,async,insecure,no_subtree_check @netgroupA @netgroupB
/var/lib/nfs/v4root/export/homes/usera \
        -rw,async,insecure,nohide,no_subtree_check @netgroupA @netgroupB

Our Problem:
Hosts, which are member of netgroupB, are unable to mount
server:/export/homes/usera, if using NFSv4:
client:~# mount -t nfs4 server:/export/homes/usera /mnt
mount.nfs4: mounting server:/export/homes/usera failed, reason given by
server:
  No such file or directory

NFSv3 mount works (-t nfs)...

We can't export the whole homes-tree to netgroupB. Adding entries in
/etc/exports isn't a good idea either (we have more than 2000 home
directories).


Is there any chance to get this working without setting up export
entries for each single home directory?




Thanks,
Sascha

Re: exporting subdirectory of shared filesystem to different hosts

[J. Bruce Fields]

On Sun, Jun 14, 2009 at 07:53:25PM +0200, Sascha Frey wrote:
> Hi,
> 
> we have some Linux NFS servers distributing our users' homes to our
> clients.
> 
> We are using NIS netgroups to restrict access to certain NFS shares.
> Our /etc/exports file looks like this:
> /var/lib/nfs/v4root \
>         *(ro,fsid=0,insecure,no_subtree_check)
> /export/homes \
>         -rw,async,insecure,no_subtree_check @netgroupA
> /var/lib/nfs/v4root/export/homes \
>         -rw,async,insecure,nohide,no_subtree_check @netgroupA
> 
> (/export/homes is bind-mounted to /var/lib/nfs/v4root/export/homes to
> have the same path for NFSv3 and v4 exports.)
> 
> Now we need to export some of the home directories to an additional
> group of hosts. So we added two lines for each one of these 'special
> cases' to the exports file:
> 
> /export/homes/usera \
>         -rw,async,insecure,no_subtree_check @netgroupA @netgroupB
> /var/lib/nfs/v4root/export/homes/usera \
>         -rw,async,insecure,nohide,no_subtree_check @netgroupA @netgroupB
> 
> Our Problem:
> Hosts, which are member of netgroupB, are unable to mount
> server:/export/homes/usera, if using NFSv4:
> client:~# mount -t nfs4 server:/export/homes/usera /mnt
> mount.nfs4: mounting server:/export/homes/usera failed, reason given by
> server:
>   No such file or directory
> 
> NFSv3 mount works (-t nfs)...
> 
> We can't export the whole homes-tree to netgroupB. Adding entries in
> /etc/exports isn't a good idea either (we have more than 2000 home
> directories).
> 
> 
> Is there any chance to get this working without setting up export
> entries for each single home directory?

Exports really only work well on a whole-filesystem basis.  The server
is not good at distinguishing between different subtrees of the same
filesystem.

Note also: in the above situation, a malicious user in netgroupB can
probably access anything in /export/homes.  You can fix that by changing
no_subtree_check to subtree_check, but that may cause unexpected stale
filehandle errors on renaming files (because it causes the filehandle of
a file to change depending on which directory it is contained in).

--b.