caxwgk@relay.eu.net (Wolfgang Kuehnel) (06/27/90)
>From article <9285@brazos.Rice.edu>, by km@mathcs.emory.edu: > Does the restriction that you cannot export both a tree and a subtree on > the same filesystem still apply? If so does this mean that you can't > export a whole partition to one machine and a restricted piece to another? > Whats the reason for this restriction? In SunOs4.1 this restriction still exisists. (In my opinion this restriction is not a restriction in everyday use.) You have to distinct between exporting a filesystem (making it accessible to the clients) by the host and mounting the filesystem by the client(s). Of course you can export a whole filesystem and mount subtrees of that filesystem on specific clients. (For example, export the /home partition and (auto-)mount the home directories of users on the machine they are actually logged in.) For more security, you can export a filesystem read-only by the "ro" option, specifing read/write access for trusted clients by the option "rw=clientname". I think this is almost what you want to do. Hope that helps and I didn't waste your time.
guy@uunet.uu.net (Guy Harris) (06/28/90)
|Does the restriction that you cannot export both a tree and a subtree on |the same filesystem still apply? Yes. |If so does this mean that you can't export a whole partition to one |machine and a restricted piece to another? Yes. |Whats the reason for this restriction? Because, even if that restriction didn't exist, you *still* couldn't securely export a whole partition to one machine and a restricted piece to another, if your intent was to restrict the access of the "another" to the rest of the tree. The "another" could walk up the directory tree and get out of its restricted piece.... (The code might have to implement something other than standard UNIX semantics for doing ".." up above a mount point, but that's just a Simple Matter of Programming....)
jay@silence.princeton.nj.us (Jay Plett) (06/29/90)
In article <9394@brazos.Rice.edu>, auspex!guy@uunet.uu.net (Guy Harris) writes: > Because, even if that restriction didn't exist, you *still* couldn't > securely export a whole partition to one machine and a restricted piece to > another, if your intent was to restrict the access of the "another" to the > rest of the tree. The "another" could walk up the directory tree and get > out of its restricted piece.... You can do that anyway. I tried running Jan-Simon Pendry's amd (an automounter) on DS3100s. It managed to exercise some bug in Ultrix where things like pwd wouldn't work because the kernel didn't recognize the mount-point while walking up through it. If a server (Sun, Convex, Whatever) exports a sub-tree of a filesystem, you could have amd mount this subtree on a DS3100, then do "cd /mount/point" followed by "cd .." and walk right up into the server's parent of the exported directory. Cute. Just one of the reasons we found for getting rid of the DS3100s. Still, if Ultrix can do it, no doubt any other O/S can be coaxed to do it as well, given kernel sources. ...jay
jms@tardis.tymnet.com (Joe Smith) (07/03/90)
In article <9285@brazos.Rice.edu> km@mathcs.emory.edu writes: >Does the restriction that you cannot export both a tree and a subtree on >the same filesystem still apply? If so does this mean that you can't >export a whole partition to one machine and a restricted piece to another? >Whats the reason for this restriction? The reasons may have to do with the following: Q: Given that one directory is to be read/write for a particular client and is to be read-only for everyone else, and given the inode of a particular file, is this file part of the read/write directory or not? A: Due to the fact that files can have hard links, which allow the same file to be accessed by potentially different names under the same or different directories, the answer is can be both "yes" and "no" simultaneously. The only thing that can be determined is whether or not a given file is on the same file system (disk partition, NFS mount) as another. I'm sure there are other reasons, too. Joe Smith (408)922-6220 | SMTP: jms@tardis.tymnet.com or jms@gemini.tymnet.com BT Tymnet Tech Services | UUCP: ...!{ames,pyramid}!oliveb!tymix!tardis!jms PO Box 49019, MS-C41 | BIX: smithjoe | 12 PDP-10s still running! "POPJ P," San Jose, CA 95161-9019 | humorous dislaimer: "My Amiga speaks for me."
meth@ztivax.siemens.com (Wilhelm Methfessel) (07/31/90)
In article <9469@brazos.Rice.edu> jay@silence.princeton.nj.us (Jay Plett) writes: >You can do that anyway. I tried running Jan-Simon Pendry's amd (an >automounter) on DS3100s. It managed to exercise some bug in Ultrix where >things like pwd wouldn't work because the kernel didn't recognize the >mount-point while walking up through it. If a server (Sun, Convex, >Whatever) exports a sub-tree of a filesystem, you could have amd mount >this subtree on a DS3100, then do "cd /mount/point" followed by "cd .." >and walk right up into the server's parent of the exported directory. >Cute. Just one of the reasons we found for getting rid of the DS3100s. >Still, if Ultrix can do it, no doubt any other O/S can be coaxed to do it >as well, given kernel sources. We use a DEC 5810 with ULTRIX 3.1c as server, which exports separate subtrees to several Suns (hardmounted). When I do "cd /mount/point" followed by "cd .." on a Sun I cannot walk up to the servers parent, but to the /root of the Sun! I don't know, if this is really done by ULTRIX, or by the Suns. But this configuration does exactly, what we want it to do. Wilhelm Methfessel UUCP: uunet|mcsun!unido!ztivax!meth Siemens AG, ZFE IO 2 meth@ztivax.UUCP 8000 Muenchen 83 Internet: meth@ztivax.siemens.com Otto Hahn Ring 6 Phone: +49 89 6363894