From acc4cade1891c0b07f3e0016ff3c5b604b042c86 Mon Sep 17 00:00:00 2001 From: neilbrown Date: Thu, 28 Oct 1999 02:27:55 +0000 Subject: [PATCH] Thu Oct 28 11:27:51 EST 1999 Neil Brown * support/include/nfs/export.h addedd NFSEXP_NOSUBTREECHECK * support/nfs/exports.c: added {no_,}subtree_check and changed crossmnt to nohide * utils/exportfs/exports.man: added no_subtree_check and nohide and removed irrelevant stuff from unfsd. * support/export/rmtab.c: rmtab_read didn't quite do the right thing if a pathname from rmtab was a subdirectory of an export-point --- support/export/export.c | 4 +- support/export/rmtab.c | 30 ++- support/include/nfs/export.h | 6 +- support/nfs/exports.c | 12 + utils/exportfs/exports.man | 446 +++++++++++++++++++++-------------- 5 files changed, 302 insertions(+), 196 deletions(-) diff --git a/support/export/export.c b/support/export/export.c index 09efaa8..ef12056 100644 --- a/support/export/export.c +++ b/support/export/export.c @@ -38,14 +38,14 @@ export_read(char *fname) export_create(eep); else { if (exp->m_export.e_flags != eep->e_flags) { - xlog(L_ERROR, "incompatible dupilcated export entries:"); + xlog(L_ERROR, "incompatible duplicated export entries:"); xlog(L_ERROR, "\t%s:%s (0x%x) [IGNORED]", eep->e_hostname, eep->e_path, eep->e_flags); xlog(L_ERROR, "\t%s:%s (0x%x)", exp->m_export.e_hostname, exp->m_export.e_path, exp->m_export.e_flags); } else { - xlog(L_ERROR, "dupilcated export entries:"); + xlog(L_ERROR, "duplicated export entries:"); xlog(L_ERROR, "\t%s:%s", eep->e_hostname, eep->e_path); xlog(L_ERROR, "\t%s:%s", exp->m_export.e_hostname, exp->m_export.e_path); diff --git a/support/export/rmtab.c b/support/export/rmtab.c index 44a0edc..4d0bc02 100644 --- a/support/export/rmtab.c +++ b/support/export/rmtab.c @@ -25,28 +25,32 @@ rmtab_read(void) setrmtabent("r"); while ((rep = getrmtabent(1)) != NULL) { - exp = export_lookup(rep->r_client, rep->r_path); - if (!exp) { - struct exportent *xp; - struct hostent *hp; - int htype; - - htype = client_gettype(rep->r_client); - if (htype == MCL_FQDN - && (hp = gethostbyname (rep->r_client), hp) - && (hp = hostent_dup (hp), - xp = export_allowed (hp, rep->r_path))) { + struct exportent *xp; + struct hostent *hp = NULL; + int htype; + + htype = client_gettype(rep->r_client); + if (htype == MCL_FQDN + && (hp = gethostbyname (rep->r_client)) + && (hp = hostent_dup (hp), + xp = export_allowed (hp, rep->r_path))) { + /* see if the entry already exists, otherwise this was an instantiated + * wild card, and we must add it + */ + exp = export_lookup(rep->r_client, xp->e_path); + if (!exp) { strncpy (xp->e_hostname, rep->r_client, sizeof (xp->e_hostname) - 1); xp->e_hostname[sizeof (xp->e_hostname) -1] = '\0'; exp = export_create(xp); - free (hp); } + free (hp); if (!exp) continue; exp->m_mayexport = 1; - } + } else if (hp) /* export_allowed failed */ + free(hp); } if (errno == EINVAL) { /* Something goes wrong. We need to fix the rmtab diff --git a/support/include/nfs/export.h b/support/include/nfs/export.h index 80d23fd..cc88f0f 100644 --- a/support/include/nfs/export.h +++ b/support/include/nfs/export.h @@ -20,7 +20,9 @@ #define NFSEXP_UIDMAP 0x0040 #define NFSEXP_KERBEROS 0x0080 /* not available */ #define NFSEXP_SUNSECURE 0x0100 -#define NFSEXP_CROSSMNT 0x0200 /* not available */ -#define NFSEXP_ALLFLAGS 0x03FF +#define NFSEXP_CROSSMNT 0x0200 + +#define NFSEXP_NOSUBTREECHECK 0x0400 +#define NFSEXP_ALLFLAGS 0x07FF #endif /* _NSF_EXPORT_H */ diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 21b85be..702df23 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -141,12 +141,16 @@ putexportent(struct exportent *ep) fprintf(fp, "%ssync,", (ep->e_flags & NFSEXP_ASYNC)? "a" : ""); fprintf(fp, "%swdelay,", (ep->e_flags & NFSEXP_GATHERED_WRITES)? "" : "no_"); + fprintf(fp, "%shide,", (ep->e_flags & NFSEXP_CROSSMNT)? + "no" : ""); fprintf(fp, "%ssecure,", (ep->e_flags & NFSEXP_INSECURE_PORT)? "in" : ""); fprintf(fp, "%sroot_squash,", (ep->e_flags & NFSEXP_ROOTSQUASH)? "" : "no_"); fprintf(fp, "%sall_squash,", (ep->e_flags & NFSEXP_ALLSQUASH)? "" : "no_"); + fprintf(fp, "%ssubtree_check,", (ep->e_flags & NFSEXP_NOSUBTREECHECK)? + "no_" : ""); fprintf(fp, "mapping="); switch (ep->e_maptype) { @@ -281,6 +285,10 @@ parseopts(char *cp, struct exportent *ep) ep->e_flags &= ~NFSEXP_ASYNC; else if (!strcmp(opt, "async")) ep->e_flags |= NFSEXP_ASYNC; + else if (!strcmp(opt, "nohide")) + ep->e_flags |= NFSEXP_CROSSMNT; + else if (!strcmp(opt, "hide")) + ep->e_flags &= ~NFSEXP_CROSSMNT; else if (!strcmp(opt, "wdelay")) ep->e_flags |= NFSEXP_GATHERED_WRITES; else if (!strcmp(opt, "no_wdelay")) @@ -293,6 +301,10 @@ parseopts(char *cp, struct exportent *ep) ep->e_flags |= NFSEXP_ALLSQUASH; else if (strcmp(opt, "no_all_squash") == 0) ep->e_flags &= ~NFSEXP_ALLSQUASH; + else if (strcmp(opt, "subtree_check") == 0) + ep->e_flags &= ~NFSEXP_NOSUBTREECHECK; + else if (strcmp(opt, "no_subtree_check") == 0) + ep->e_flags |= NFSEXP_NOSUBTREECHECK; else if (strncmp(opt, "mapping=", 8) == 0) ep->e_maptype = parsemaptype(opt+8); else if (strcmp(opt, "map_identity") == 0) /* old style */ diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 2863fea..b256e4f 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -1,24 +1,26 @@ -.TH EXPORTS 5 "11 August 1997" +.TH EXPORTS 5 "28 October 1999" .UC 5 .SH NAME -exports \- NFS file systems being exported +exports \- NFS file systems being exported (for Kernel based NFS) .SH SYNOPSIS .B /etc/exports .SH DESCRIPTION The file .I /etc/exports serves as the access control list for file systems which may be -exported to NFS clients. It it used by both the NFS mount daemon, +exported to NFS clients. It it used by +.IR exportfs (8) +to give information to .IR mountd (8) -and the NFS file server daemon +and to the kernel based NFS file server daemon .IR nfsd (8). .PP The file format is similar to the SunOS .I exports file, except that several additional options are permitted. Each line -contains a mount point and a list of machine or netgroup names allowed +contains an export point and a list of machine or netgroup names allowed to mount the file system at that point. An optional parenthesized list -of mount parameters may follow each machine name. Blank lines are +of export parameters may follow each machine name. Blank lines are ignored, and a # introduces a comment to the end of the line. Entries may be continued across newlines using a backslash. .PP @@ -26,13 +28,13 @@ be continued across newlines using a backslash. NFS clients may be specified in a number of ways: .IP "single host This is the most common format. You may specify a host either by an -abbreviated name recognizued be the resolver, the fully qualified domain +abbreviated name recognized be the resolver, the fully qualified domain name, or an IP address. .IP "netgroups NIS netgroups may be given as .IR @group . -Only the host part of all -netgroup members is extracted and added to the access list. Empty host +Only the host part of each +netgroup members is consider in checking for membership. Empty host parts or those containing a single dash (\-) are ignored. .IP "wildcards Machine names may contain the wildcard characters \fI*\fR and \fI?\fR. @@ -46,28 +48,28 @@ simultaneously. This is done by specifying an IP address and netmask pair as .IR address/netmask . .TP -.B =public -This is a special ``hostname'' that identifies the given directory name -as the public root directory (see the section on WebNFS in -.BR nfsd (8) -for a discussion of WebNFS and the public root handle). When using this -convention, -.B =public -must be the only entry on this line, and must have no export options -associated with it. Note that this does -.I not -actually export the named directory; you still have to set the exports -options in a separate entry. -.PP -The public root path can also be specified by invoking -.I nfsd -with the -.B \-\-public\-root -option. Multiple specifications of a public root will be ignored. +'''.B =public +'''This is a special ``hostname'' that identifies the given directory name +'''as the public root directory (see the section on WebNFS in +'''.BR nfsd (8) +'''for a discussion of WebNFS and the public root handle). When using this +'''convention, +'''.B =public +'''must be the only entry on this line, and must have no export options +'''associated with it. Note that this does +'''.I not +'''actually export the named directory; you still have to set the exports +'''options in a separate entry. +'''.PP +'''The public root path can also be specified by invoking +'''.I nfsd +'''with the +'''.B \-\-public\-root +'''option. Multiple specifications of a public root will be ignored. .PP .SS General Options -.IR mountd " and " nfsd -understand the following export options: +.IR exportfs +understands the following export options: .TP .IR secure "\*d This option requires that requests originate on an internet port less @@ -75,29 +77,111 @@ than IPPORT_RESERVED (1024). This option is on by default. To turn it off, specify .IR insecure . .TP -.IR ro -Allow only read-only requests on this NFS volume. The default is to -allow write requests as well, which can also be made explicit by using +.IR rw +Allow both read and write requests on this NFS volume. The +default is to disallow any request which changes the filesystem. +This can also be made explicit by using the -.IR rw " option. +.IR ro " option. .TP -.I noaccess -This makes everything below the directory inaccessible for the named -client. This is useful when you want to export a directory hierarchy to -a client, but exclude certain subdirectories. The client's view of a -directory flagged with noaccess is very limited; it is allowed to read -its attributes, and lookup `.' and `..'. These are also the only entries -returned by a readdir. +.IR sync +This option requests that all file writes be committed to disc before +the write request completes. This is required for complete safety of +data in the face of a server crash, but incurs a performance hit. +The default is to allow the server to write the data out whenever it +is ready. This can be explicitly requested with the +.IR async " option. .TP -.IR link_relative -Convert absolute symbolic links (where the link contents start with a -slash) into relative links by prepending the necessary number of ../'s -to get from the directory containing the link to the root on the -server. This has subtle, perhaps questionable, semantics when the file -hierarchy is not mounted at its root. +.IR no_wdelay +This option only has effect if +.I sync +is also set. The NFS server will normally delay committing a write request +to disc slightly if it suspects that another related write request may be in +progress or may arrive soon. This allows multiple write requests to +be committed to disc with the one operation which can improve +performance. If an NFS server received mainly small unrelated +requests, this behaviour could actually reduce performance, so +.IR no_wdelay +is available to turn it off. +The default can be explicitly requested with the +.IR wdelay " option. .TP -.IR link_absolute -Leave all symbolic link as they are. This is the default operation. +.IR nohide +This option is based on the option of the same name provided in IRIX +NFS. Normally, if a server exports two filesystems one of which is +mounted on the other, then the client will have to mount both +filesystems explicitly to get access to them. If it just mounts the +parent, it will see an empty directory at the place where the other +filesystem is mounted. That filesystem is "hidden". + +Setting the +.I nohide +option on a filesystem causes it not to be hidden, and an +appropriately authorised client will be able to move from the parent to +that filesystem without noticing the change. + +However, some NFS clients do not cope well with this situation as, for +instance, it is then possible for two files in the one apparent +filesystem to have the same inode number. + +This option can be very useful in some situations, but it should be +used with due care, and only after confirming that the client system +copes with the situation effectively. + +The option can be explicitly disabled with +.IR hide . +.TP +.IR no_subtree_check +This option disables subtree checking, which has mild security +implications, but can improve reliability is some circumstances. + +If a subdirectory of a filesystem is exported, but the whole +filesystem isn't then whenever a NFS request arrives, the server must +check not only that the accessed file is in the appropriate filesystem +(which is easy) but also that it is in the exported tree (which is +harder). This check is called the +.IR subtree_check . + +In order to perform this check, the server must include some +information about the location of the file in the "filehandle" that is +given to the client. This can cause problems with accessing files that +are renamed while a client has them open (though in many simple cases +it will still work). + +subtree checking is also used to make sure that files inside +directories to which only root has access can only be accessed if the +filesystem is exported with +.I no_root_squash +(see below), even the file itself allows more general access. + +As a general guide, a home directory filesystem, which is normally +exported at the root and may see lots of file renames, should be +exported with subtree checking disabled. A filesystem which is mostly +readonly, and at least doesn't see many file renames (e.g. /usr or +/var) and for which subdirectories may be exported, should probably be +exported with subtree checks enabled. + +The default of having subtree checks enabled, can be explicitly +requested with +.IR subtree_check . +'''.TP +'''.I noaccess +'''This makes everything below the directory inaccessible for the named +'''client. This is useful when you want to export a directory hierarchy to +'''a client, but exclude certain subdirectories. The client's view of a +'''directory flagged with noaccess is very limited; it is allowed to read +'''its attributes, and lookup `.' and `..'. These are also the only entries +'''returned by a readdir. +'''.TP +'''.IR link_relative +'''Convert absolute symbolic links (where the link contents start with a +'''slash) into relative links by prepending the necessary number of ../'s +'''to get from the directory containing the link to the root on the +'''server. This has subtle, perhaps questionable, semantics when the file +'''hierarchy is not mounted at its root. +'''.TP +'''.IR link_absolute +'''Leave all symbolic link as they are. This is the default operation. .SS User ID Mapping .PP .I nfsd @@ -118,58 +202,61 @@ and can be turned off with .IR no_root_squash . .PP By default, -.I nfsd -tries to obtain the anonymous uid and gid by looking up user -.I nobody -in the password file at startup time. If it isn't found, a uid and gid -of -2 (i.e. 65534) is used. These values can also be overridden by +'''.I nfsd +'''tries to obtain the anonymous uid and gid by looking up user +'''.I nobody +'''in the password file at startup time. If it isn't found, a uid and gid +.I exportfs +chooses a uid and gid +of -2 (i.e. 65534) for squashed access. These values can also be overridden by the .IR anonuid " and " anongid options. -.PP -In addition to this, -.I nfsd -lets you specify arbitrary uids and gids that should be mapped to user -nobody as well. Finally, you can map all user requests to the +'''.PP +'''In addition to this, +'''.I nfsd +'''lets you specify arbitrary uids and gids that should be mapped to user +'''nobody as well. +Finally, you can map all user requests to the anonymous uid by specifying the .IR all_squash " option. -.PP -For the benefit of installations where uids differ between different -machines, -.I nfsd -provides several mechanism to dynamically map server uids to client -uids and vice versa: static mapping files, NIS-based mapping, and -.IR ugidd -based -mapping. -.PP -.IR ugidd -based -mapping is enabled with the -.I map_daemon -option, and uses the UGID RPC protocol. For this to work, you have to run -the -.IR ugidd (8) -mapping daemon on the client host. It is the least secure of the three methods, -because by running -.IR ugidd , -everybody can query the client host for a list of valid user names. You -can protect yourself by restricting access to -.I ugidd -to valid hosts only. This can be done by entering the list of valid -hosts into the -.I hosts.allow -or -.I hosts.deny -file. The service name is -.IR ugidd . -For a description of the file's syntax, please read -.IR hosts_access (5). -.PP -Static mapping is enabled by using the -.I map_static -option, which takes a file name as an argument that describes the mapping. -NIS-based mapping queries the client's NIS server to obtain a mapping from -user and group names on the server host to user and group names on the -client. +'''.PP +'''For the benefit of installations where uids differ between different +'''machines, +'''.I nfsd +'''provides several mechanism to dynamically map server uids to client +'''uids and vice versa: static mapping files, NIS-based mapping, and +'''.IR ugidd -based +'''mapping. +'''.PP +'''.IR ugidd -based +'''mapping is enabled with the +'''.I map_daemon +'''option, and uses the UGID RPC protocol. For this to work, you have to run +'''the +'''.IR ugidd (8) +'''mapping daemon on the client host. It is the least secure of the three methods, +'''because by running +'''.IR ugidd , +'''everybody can query the client host for a list of valid user names. You +'''can protect yourself by restricting access to +'''.I ugidd +'''to valid hosts only. This can be done by entering the list of valid +'''hosts into the +'''.I hosts.allow +'''or +'''.I hosts.deny +'''file. The service name is +'''.IR ugidd . +'''For a description of the file's syntax, please read +'''.IR hosts_access (5). +'''.PP +'''Static mapping is enabled by using the +'''.I map_static +'''option, which takes a file name as an argument that describes the mapping. +'''NIS-based mapping queries the client's NIS server to obtain a mapping from +'''user and group names on the server host to user and group names on the +'''client. .PP Here's the complete list of mapping options: .TP @@ -180,14 +267,14 @@ not apply to any other uids that might be equally sensitive, such as user .TP .IR no_root_squash Turn off root squashing. This option is mainly useful for diskless clients. -.TP -.IR squash_uids " and " squash_gids -This option specifies a list of uids or gids that should be subject to -anonymous mapping. A valid list of ids looks like this: -.IP -.IR squash_uids=0-15,20,25-50 -.IP -Usually, your squash lists will look a lot simpler. +'''.TP +'''.IR squash_uids " and " squash_gids +'''This option specifies a list of uids or gids that should be subject to +'''anonymous mapping. A valid list of ids looks like this: +'''.IP +'''.IR squash_uids=0-15,20,25-50 +'''.IP +'''Usually, your squash lists will look a lot simpler. .TP .IR all_squash Map all uids and gids to the anonymous user. Useful for NFS-exported @@ -195,60 +282,60 @@ public FTP directories, news spool directories, etc. The opposite option is .IR no_all_squash , which is the default setting. -.TP -.IR map_daemon -This option turns on dynamic uid/gid mapping. Each uid in an NFS request -will be translated to the equivalent server uid, and each uid in an -NFS reply will be mapped the other way round. This option requires that -.IR rpc.ugidd (8) -runs on the client host. The default setting is -.IR map_identity , -which leaves all uids untouched. The normal squash options apply regardless -of whether dynamic mapping is requested or not. -.TP -.IR map_static -This option enables static mapping. It specifies the name of the file -that describes the uid/gid mapping, e.g. -.IP -.IR map_static=/etc/nfs/foobar.map -.IP -The file's format looks like this -.IP -.nf -.ta +3i -# Mapping for client foobar: -# remote local -uid 0-99 - # squash these -uid 100-500 1000 # map 100-500 to 1000-1500 -gid 0-49 - # squash these -gid 50-100 700 # map 50-100 to 700-750 -.fi -.TP -.IR map_nis -This option enables NIS-based uid/gid mapping. For instance, when -the server encounters the uid 123 on the server, it will obtain the -login name associated with it, and contact the NFS client's NIS server -to obtain the uid the client associates with the name. -.IP -In order to do this, the NFS server must know the client's NIS domain. -This is specified as an argument to the -.I map_nis -options, e.g. -.IP -.I map_nis=foo.com -.IP -Note that it may not be sufficient to simply specify the NIS domain -here; you may have to take additional actions before -.I nfsd -is actually able to contact the server. If your distribution uses -the NYS library, you can specify one or more NIS servers for the -client's domain in -.IR /etc/yp.conf . -If you are using a different NIS library, you may have to obtain a -special -.IR ypbind (8) -daemon that can be configured via -.IR yp.conf . +'''.TP +'''.IR map_daemon +'''This option turns on dynamic uid/gid mapping. Each uid in an NFS request +'''will be translated to the equivalent server uid, and each uid in an +'''NFS reply will be mapped the other way round. This option requires that +'''.IR rpc.ugidd (8) +'''runs on the client host. The default setting is +'''.IR map_identity , +'''which leaves all uids untouched. The normal squash options apply regardless +'''of whether dynamic mapping is requested or not. +'''.TP +'''.IR map_static +'''This option enables static mapping. It specifies the name of the file +'''that describes the uid/gid mapping, e.g. +'''.IP +'''.IR map_static=/etc/nfs/foobar.map +'''.IP +'''The file's format looks like this +'''.IP +'''.nf +'''.ta +3i +'''# Mapping for client foobar: +'''# remote local +'''uid 0-99 - # squash these +'''uid 100-500 1000 # map 100-500 to 1000-1500 +'''gid 0-49 - # squash these +'''gid 50-100 700 # map 50-100 to 700-750 +'''.fi +'''.TP +'''.IR map_nis +'''This option enables NIS-based uid/gid mapping. For instance, when +'''the server encounters the uid 123 on the server, it will obtain the +'''login name associated with it, and contact the NFS client's NIS server +'''to obtain the uid the client associates with the name. +'''.IP +'''In order to do this, the NFS server must know the client's NIS domain. +'''This is specified as an argument to the +'''.I map_nis +'''options, e.g. +'''.IP +'''.I map_nis=foo.com +'''.IP +'''Note that it may not be sufficient to simply specify the NIS domain +'''here; you may have to take additional actions before +'''.I nfsd +'''is actually able to contact the server. If your distribution uses +'''the NYS library, you can specify one or more NIS servers for the +'''client's domain in +'''.IR /etc/yp.conf . +'''If you are using a different NIS library, you may have to obtain a +'''special +'''.IR ypbind (8) +'''daemon that can be configured via +'''.IR yp.conf . .TP .IR anonuid " and " anongid These options explicitly set the uid and gid of the anonymous account. @@ -269,7 +356,7 @@ is supposedly that of user joe). /usr *.local.domain(ro) @trusted(rw) /home/joe pc001(rw,all_squash,anonuid=150,anongid=100) /pub (ro,insecure,all_squash) -/pub/private (noaccess) +'''/pub/private (noaccess) .fi .PP The first line exports the entire filesystem to machines master and trusty. @@ -281,26 +368,27 @@ public FTP directory to every host in the world, executing all requests under the nobody account. The .I insecure option in this entry also allows clients with NFS implementations that -don't use a reserved port for NFS. The last line denies all NFS clients -access to the private directory. -.SH CAVEATS -Unlike other NFS server implementations, this -.I nfsd -allows you to export both a directory and a subdirectory thereof to -the same host, for instance -.IR /usr " and " /usr/X11R6 . -In this case, the mount options of the most specific entry apply. For -instance, when a user on the client host accesses a file in -.IR /usr/X11R6 , -the mount options given in the -.I /usr/X11R6 -entry apply. This is also true when the latter is a wildcard or netgroup -entry. +don't use a reserved port for NFS. +''' The last line denies all NFS clients +'''access to the private directory. +'''.SH CAVEATS +'''Unlike other NFS server implementations, this +'''.I nfsd +'''allows you to export both a directory and a subdirectory thereof to +'''the same host, for instance +'''.IR /usr " and " /usr/X11R6 . +'''In this case, the mount options of the most specific entry apply. For +'''instance, when a user on the client host accesses a file in +'''.IR /usr/X11R6 , +'''the mount options given in the +'''.I /usr/X11R6 +'''entry apply. This is also true when the latter is a wildcard or netgroup +'''entry. .SH FILES /etc/exports -.SH DIAGNOSTICS -An error parsing the file is reported using syslogd(8) as level NOTICE from -a DAEMON whenever nfsd(8) or mountd(8) is started up. Any unknown -host is reported at that time, but often not all hosts are not yet known -to named(8) at boot time, thus as hosts are found they are reported -with the same syslogd(8) parameters. +'''.SH DIAGNOSTICS +'''An error parsing the file is reported using syslogd(8) as level NOTICE from +'''a DAEMON whenever nfsd(8) or mountd(8) is started up. Any unknown +'''host is reported at that time, but often not all hosts are not yet known +'''to named(8) at boot time, thus as hosts are found they are reported +'''with the same syslogd(8) parameters. -- 2.39.2