Different options for subdir? Possible?

Different options for subdir? Possible?

[Pierre Ossman]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

I'd like to export the filesystem /exports as ro, but the
subdir /exports/dump as rw. I can't seem to get it to work though, so
before I start digging deeper I figured I might ask if this is even
possible? :)

I tried this in /etc/exports:

/exports/dump	1.2.3.4(rw)
/exports	1.2.3.4(ro)

Rgds
-- 
     -- Pierre Ossman

  WARNING: This correspondence is being monitored by FRA, a
  Swedish intelligence agency. Make sure your server uses
  encryption for SMTP traffic and consider using PGP for
  end-to-end encryption.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Different options for subdir? Possible?

[J. Bruce Fields]

On Sat, May 15, 2010 at 03:31:04PM +0200, Pierre Ossman wrote:
> I'd like to export the filesystem /exports as ro, but the
> subdir /exports/dump as rw. I can't seem to get it to work though, so
> before I start digging deeper I figured I might ask if this is even
> possible? :)

If the "dump" subdirectory is a subdirectory of the same filesystem (not
a mountpoint), and if you're using NFSv4 (or v2/v3 with crossmnt), the
client will continue to use the export options on the parent directory.

Also, note that it's relatively easy for someone with access to the
network to treat all of /exports as rw.

In general, export points that aren't mountpoints are not usually a good
idea.

--b.

> 
> I tried this in /etc/exports:
> 
> /exports/dump	1.2.3.4(rw)
> /exports	1.2.3.4(ro)
> 
> Rgds
> -- 
>      -- Pierre Ossman
> 
>   WARNING: This correspondence is being monitored by FRA, a
>   Swedish intelligence agency. Make sure your server uses
>   encryption for SMTP traffic and consider using PGP for
>   end-to-end encryption.

Re: Different options for subdir? Possible?

[Pierre Ossman]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

On Mon, 17 May 2010 16:49:47 -0400
"J. Bruce Fields" <bfields@fieldses.org> wrote:

> On Sat, May 15, 2010 at 03:31:04PM +0200, Pierre Ossman wrote:
> > I'd like to export the filesystem /exports as ro, but the
> > subdir /exports/dump as rw. I can't seem to get it to work though, so
> > before I start digging deeper I figured I might ask if this is even
> > possible? :)
> 
> If the "dump" subdirectory is a subdirectory of the same filesystem (not
> a mountpoint), and if you're using NFSv4 (or v2/v3 with crossmnt), the
> client will continue to use the export options on the parent directory.
> 

Hmm... client? Can't say I'm intimate with the NFS protocol, but access
permissions like this seems like a server decision.

> Also, note that it's relatively easy for someone with access to the
> network to treat all of /exports as rw.

Even with subtree check?

> In general, export points that aren't mountpoints are not usually a good
> idea.

Fair enough. I'll have to figure something else out.

Thanks
-- 
     -- Pierre Ossman

  WARNING: This correspondence is being monitored by FRA, a
  Swedish intelligence agency. Make sure your server uses
  encryption for SMTP traffic and consider using PGP for
  end-to-end encryption.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Different options for subdir? Possible?

[J. Bruce Fields]

On Tue, May 18, 2010 at 07:34:45PM +0200, Pierre Ossman wrote:
> On Mon, 17 May 2010 16:49:47 -0400
> "J. Bruce Fields" <bfields@fieldses.org> wrote:
> 
> > On Sat, May 15, 2010 at 03:31:04PM +0200, Pierre Ossman wrote:
> > > I'd like to export the filesystem /exports as ro, but the
> > > subdir /exports/dump as rw. I can't seem to get it to work though, so
> > > before I start digging deeper I figured I might ask if this is even
> > > possible? :)
> > 
> > If the "dump" subdirectory is a subdirectory of the same filesystem (not
> > a mountpoint), and if you're using NFSv4 (or v2/v3 with crossmnt), the
> > client will continue to use the export options on the parent directory.
> > 
> 
> Hmm... client? Can't say I'm intimate with the NFS protocol, but access
> permissions like this seems like a server decision.

Yes, apologies for the imprecise language.

> > Also, note that it's relatively easy for someone with access to the
> > network to treat all of /exports as rw.
> 
> Even with subtree check?

If you turn on subtree_check, you're safe.  (That can cause other
problems, though, due to filehandles changing on cross-directory
rename.)

--b.

> > In general, export points that aren't mountpoints are not usually a good
> > idea.
> 
> Fair enough. I'll have to figure something else out.
> 
> Thanks
> -- 
>      -- Pierre Ossman
> 
>   WARNING: This correspondence is being monitored by FRA, a
>   Swedish intelligence agency. Make sure your server uses
>   encryption for SMTP traffic and consider using PGP for
>   end-to-end encryption.