[Bug 191218] mountd: can't change attributes for XXXXXXX: Invali

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191218

Xin LI <delphij@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |delphij@FreeBSD.org

--- Comment #4 from Xin LI <delphij@FreeBSD.org> ---
(In reply to yaneurabeya from comment #3)
> (In reply to Xin LI from comment #2)
> > Exporting subdirectories of a mountpoint is problematic and this is a well
> > known limitation of the protocol.  I don't consider this as a security issue
> > because the administrator is supposed to know what they are doing.
> 
> The security concern was over the fact that mountd is clearly reporting an
> error in the code, but hiding the fact that it's actually an error; unless
> the administrator is looking for errors from mountd, they have absolutely
> _no_ idea that the path is actually exported.

mountd have (correctly) reported that it was unable to change the export
attributes, we could, of course, use better error message, but if the
administrator chooses to ignore error messages, there is nothing we can do with
it.

Also, exporting subdirectories just plain doesn't work because the NFS client
can still request anything in the mountpoint.  Properly implemented client does
not allow it but an attacker do not have to use a properly implemented one. 
This is well known and relying on this security model is just plain wrong.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"