Bug 74900
Summary: | Wildcard exports export too much | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Jason Tibbitts <j> |
Component: | nfs-utils | Assignee: | Stephen Tweedie <sct> |
Status: | CLOSED UPSTREAM | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-03-28 12:52:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Tibbitts
2002-10-02 17:52:35 UTC
I suspect that this is a documentation bug rather than an implementation bug --- I think the actual behaviour is intended. I'll check upstream to see whether it's the documentation or the implementation which needs fixing, but I expect that many, many sites rely on the existing behaviour. That would be somewhat disturbing, as it's equally possible that sites think they're getting the documented behavior and are insecure. If not fixed, there would seem to be no way to get something like the documented behavior. Some possibilities: Add an additional wildcard that gives the documented behavior. Supporting a richer pattern matching language (regexp or somesuch). Allow an explicit "not export to subdomains" option somehow. Or just nudge me in the proper direction to fix this locally. I don't like to carry around local patches but in this case I really do have to have this functionality. I pushed this upstream to get people to discuss whether the implementation or the documentation is correct here, but there's been no response so far. I'm going to push the bug to NEEDINFO until I get some idea of which is the right way to go, since there's no way we can depart from upstream behaviour in this case. nfs-utils 1.0.2 effectively resolves this by changing the documentation to match the current behavior. Unfortunately it doesn't document what happens when more than one wildcard matches a host, or how to explicitly not export a host that is otherwise matched. (Orthogonality suggests an empty option list, but this doesn't work.) The best I can come up with is the following, to export to all hosts except those that start with 't': /export *.dhcp.math.uh.edu(ro,all_squash) *.math.uh.edu(rw) but that still gives read access to some files. So I suppose this bug should be closed, as there's no real bug per se once 1.0.2+ get into Red Hat. I'll try to pursue the missing functionality issue directly with the NFS folks. |