mountd warns about fs export

D

DosKobold

Hi,

I cannot find a answer to my question in any documentation or thread.

I have this warning in my logs:

Code: 
May 31 19:15:42 ShareServer1 mountd[7902]: Warning: exporting /shares/test exports entire / file s
ystem

Is this a real security issue or just a information about using the dataset of / when exporting some directory of it?

Thank you very much for your answers!
 
Hi,

can you post your /etc/exports?

docs.freebsd.org

Chapter 32. Network Servers

This chapter covers some of the more frequently used network services on UNIX systems
docs.freebsd.org docs.freebsd.org

This handbook section doesn't talk about this problem as far as i can read.

Also, if its'a zfs dataset that you are sharing, see info below.
Code: 
Refer to zfs-share(8) for a description of exporting ZFS datasets via NFS using the [ICODE]sharenfs[/ICODE] ZFS property instead of the exports(5) file.
 
nxjoseph said:
Hi,

can you post your /etc/exports?

docs.freebsd.org

Chapter 32. Network Servers

This chapter covers some of the more frequently used network services on UNIX systems
docs.freebsd.org docs.freebsd.org

This handbook section doesn't talk about this problem as far as i can read.

Also, if its'a zfs dataset that you are sharing, see info below.
Code: 
Refer to zfs-share(8) for a description of exporting ZFS datasets via NFS using the [ICODE]sharenfs[/ICODE] ZFS property instead of the exports(5) file.
Click to expand...
My /etc/exports file is very simple:
Code: 
/shares/test -ro -alldirs

The NFS sharing happens in a jail. The root of the jail is a ZFS dataset. I just want to know if this warning is a serious issue. The share works and i cannot access the upper directories. It confuses me.

Do i have to use zfs-share instead of /etc/exports?
 
DosKobold said:
I just want to know if this warning is a serious issue.
Click to expand...
I am no expert to talk about this, sorry.

DosKobold said:
The root of the jail is a ZFS dataset.
Click to expand...
So are you simply sharing that jail's root directory or does the /shares/test has some data that should be accessible?

DosKobold said:
Do i have to use zfs-share instead of /etc/exports?
Click to expand...
Maybe mountd(8) wouldn't warn you about it if you do. I'd always prefer the ZFS way if the content reside in a ZFS dataset.

Sorry for the late reply, somehow I get notified a bit late.
 
nxjoseph said:
I am no expert to talk about this, sorry.


So are you simply sharing that jail's root directory or does the /shares/test has some data that should be accessible?


Maybe mountd(8) wouldn't warn you about it if you do. I'd always prefer the ZFS way if the content reside in a ZFS dataset.

Sorry for the late reply, somehow I get notified a bit late.
Click to expand...
As you can see in my exports file I do not export the root directory of my jail. I export the /shares/test directory of my jail. There is the data.

Yes, probably the best practice is to use ZFS in this case.
Now I read the following: exports() says you should use zfs-share because it automatically restricts the export on the given dataset. It is not guaranteed that a directory can securely be exported within a default export. This is a very strange thing. You must use mount points (in ZFS datasets).

Then I have to use ZFS also in my jail.

Thank you for your help working it out!
 
DosKobold said:
Now I read the following: exports() says you should use zfs-share because it automatically restricts the export on the given dataset. It is not guaranteed that a directory can securely be exported within a default export. This is a very strange thing. You must use mount points (in ZFS datasets).
Click to expand...
I didn't understand that part, i had the chance to use NFS with ZFS nfsshare property and IIRC, it was automatically sharing that dataset over network after boot. I don't remember the details properly but handbook guided me from start to finish.

DosKobold said:
Thank you for your help working it out!
Click to expand...
You are welcome, good luck!
 
nxjoseph said:
I didn't understand that part, i had the chance to use NFS with ZFS nfsshare property and IIRC, it was automatically sharing that dataset over network after boot. I don't remember the details properly but handbook guided me from start to finish.


You are welcome, good luck!
Click to expand...
What do you not understand? Every dataset is mounted on a mountpoint. That is needed for the export because the system cannot restrict to directories. It needs own "devices" (in case of ZFS that are datasets). I had one issue in thinking: You do not need the command zfs-share (by the way: legacy). You only need datasets. They can still be exported via /etc/exports. I do not have warnings anymore.

At least this is my understanding. I hope that helps.
 
DosKobold said:
Is this a real security issue or just a information about using the dataset of / when exporting some directory of it?
Click to expand...
DosKobold said:
The NFS sharing happens in a jail. The root of the jail is a ZFS dataset. I just want to know if this warning is a serious issue. The share works and i cannot access the upper directories. It confuses me.
Click to expand...
The warning can be safely ignored. It is a false positive warning.

The warning is triggered by mountd.c because there seems no logic implemented to distinguish between real and false entire file system shared mount points settings.

If you have made sure the root file system is not exposed, and you want the warning silenced, use the "mountd_flags=" -A ..." in addition to /etc/defaults/rc.conf: mountd_flags.

DosKobold said:
My /etc/exports file is very simple:
/shares/test -ro -alldirs
Click to expand...
The potentially problematic flag in your /etc/exports is "-alldirs".

If "-alldirs" is set on a regular directory on one file system, here /share/test, then the entire "/" root file system is accessible. To prevent this, remove "-alldirs". mountd(8) still complains, but any attempt to mount parent directories (/share, /) should be refused with permission denied.

See exports(5)
Rich (BB code): 
...
     There are three forms of the directory path specification.
     ...
     The second is to specify the pathname of the root of the file system
     followed by the -alldirs flag; this form allows the host(s) to mount at
     any point within the file system, including regular files if the -r
     option is used on mountd(8).
     ...

"-alldirs" in a "sharenfs" set property has no effect on parent datasets (ie.: zroot/share, zroot), since every dataset is a separate file system . In this configuration mountd(8) won't complain about exporting an entire file system.

When using "sharenfs" on datasets, make sure to remove any exported mount entries from /etc/exports.

"sharenfs" set properties have an immediate effect by mountd restarting automatically.

In case you weren't aware, "sharenfs" exports are registered in the /etc/zfs/exports file.
 
You must log in or register to reply here.
Back
Top