Newsgroups: comp.protocols.nfs
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!snorkelwacker.mit.edu!ira.uka.de!!krey
From: krey@ira.uka.de (Andreas Krey)
Subject: Re: Why not export /fs /fs/subdir?
Message-ID: <1991Jun26.083340.16200@ira.uka.de>
Sender: krey@i30fs1 (Andreas Krey)
Organization: University of Karlsruhe, FRG
References: <thurlow.677210173@convex.convex.com> <1991Jun18.040038.15141@Think.COM> <DROMS.91Jun25103646@regulus.bucknell.edu>
Date: Wed, 26 Jun 1991 08:33:40 GMT
Lines: 58

In article <DROMS.91Jun25103646@regulus.bucknell.edu>, droms@regulus.bucknell.edu (Ralph E. Droms) writes:
|> In article <10284@star.cs.vu.nl> sater@cs.vu.nl (Hans van Staveren) writes:
|>    >
|>    >Have you tried this anywhere and had it give you access to
|>    >other filesystems?  I'd call systems like that "broken".
|>    >
|>    >Rob T
|> 
|>    We have tried it. I can assure you that at least SunOs 4.1.1 NFS servers
|>    are broken in the sense you call it.
|> 
|> Perhaps Rob T and I are not talking about the same situation.  Suppose
|> I have the following filesystem subtree on an NFS server S (where '*'
|> is some arbitrary path):
|> 
|>                *
|>               / \
|>              /   \
|>             A     B
|> 
|> and the export list on S:
|> 
|> */A	-access=A
|> */B	-access=B
|> 
|> I can handcraft a program that issues NFS requests (through callrpc)
|> from A to do:
|> 
|>      fh = mount("*/A");
|>      fh = lookup(fh, "..");
|>      fh = lookup(fh, "B");
|>      fh = lookup(fh, "bar");
|>      result = read(fh, buf);
|> 
|> buf now contains the contents of "*/B/bar", although A has not mounted
|> and S has explicitly exported "*/B" to be inaccessible to client A.
|> 
|> This experiment was run on between a Sun 4/20 client and a Sun 3/160
|> client, both running SunOS 4.1 (*not* 4.1.1).
|> 
|> The exported file system information is managed by the mount daemon
|> and protocol.  How would the NFS server learn of that information?
|> 
|> --
|> - Ralph Droms                 Computer Science Department
|>   droms@bucknell.edu          323 Dana Engineering
|>                               Bucknell University
|>   (717) 524-1145              Lewisburg, PA 17837

Important addition: On the server, A, B, and the directory named '*' must
be on the same disk partition. NFS only does lookups within a single
disk filesystem, so it always exports a full DISK filesystem even if
the mount point is not the root of that filesystem.

-- 
Andy

4/1/91 is gone and 4/1/92 yet to come. Applies to this article.
