Solved NFSv4 exports confusion

[bwhaley]

Hi, quick question about the NFSv4 tree root option in /etc/exports. I am playing with NFSv4 and confused about the V4: prefix. I have a simple /etc/exports such as:

/tmp
V4: / -network 172.28.0.0/16

I mount from an NFSv4 client:

mount server:/ /mnt

I thought I should only see /mnt/var, but actually /mnt has rw access to everything in / on the server. root squashing works as expected, and / behaves as a full fledged export.

The docs (man exports) say:

For the third form which specifies the NFSv4 tree root, the directory
path specifies the location within the server's file system tree which is
the root of the NFSv4 tree. There can only be one NFSv4 root directory
per server. As such, all entries of this form must specify the same
directory path. For file systems other than ZFS, this location can be
any directory and does not need to be within an exported file system. If
it is not in an exported file system, a very limited set of operations
are permitted, so that an NFSv4 client can traverse the tree to an
exported file system. Although parts of the NFSv4 tree can be non-
exported, the entire NFSv4 tree must consist of local file systems
capable of being exported via NFS. All ZFS file systems in the subtree
below the NFSv4 tree root must be exported. NFSv4 does not use the mount
protocol and does permit clients to cross server mount point boundaries,
although not all clients are capable of crossing the mount points.

Note "a very limited set of operations are permitted, so that an NFSv4 client can traverse the tree to an exported file system." So why do I have read/write for the full / filesystem on the server?

 

[kpa]

That's because you're setting the root of the NFSv4 tree at the / directory on the V4: line.

 

[bwhaley]

The docs also say:

The third form has the string ``V4:'' followed by a single absolute path name, to specify the NFSv4 tree root. This line does not export any file system, but simply marks where the root of the server's directory tree is for NFSv4 clients. The exported file systems for NFSv4 are specified via the other lines in the exports file in the same way as for NFSv2 and NFSv3.

And it's true that if you have a single line in /etc/exports prefixed with V4: /, it's possible to mount server:/ but if you list it you'll see


ls: reading directory 'freebsd/': Input/output error


But when you add any other export, such as /tmp, then suddenly you can mount anything under /. Shouldn't only other exported filesystems be available?

 

[bwhaley]

For the sake of posterity, I ended up posting this query to the mailing list and had a reply from Rick Macklem, the author of NFS for FreeBSD. See my question and his response here: https://lists.freebsd.org/pipermail/freebsd-net/2016-October/046368.html

In short: the pseudo root filesystem described in the RFC was not implemented.