# NFSv4 exports client mounting dirs I didn't mean to share



## big_girl (Jun 16, 2016)

Hi,

I'm a little confused about NFSv4 exports (both the server and client are 10.1-REL). I want to export a subset of dirs in the root filesystem of the server, but not all of them. 

This is my /etc/exports file-

```
/etc /usr /bin /sbin /root   -ro   -maproot=nobody:nogroup   -network   -10.0.200.100
V4: /
```

When I do this, perhaps not surprisingly (considering the last line, "V4: /", seems to export the root filesystem), the client can mount directories I didn't intend to export, like /boot. 

When I try something like-

```
V4: /etc   -ro   -maproot=nobody:nogroup   -network   -10.0.200.100
```

...nothing at all gets exported. 

Any help would be really appreciated. 

-bg


----------



## kpa (Jun 16, 2016)

From exports(5):


```
The third form has the string ``V4:'' followed by a
     single absolute path name, to specify the NFSv4 tree root.  This line
     does not export any file system, but simply marks where the root of the
     server's directory tree is for NFSv4 clients.  The exported file systems
     for NFSv4 are specified via the other lines in the exports file in the
     same way as for NFSv2 and NFSv3.
```


----------



## big_girl (Jun 16, 2016)

I see. So, that last line doesn't actually export anything. Very helpful point. I was confused between the docs and various threads I found as to what that last line (V4: /) actually does, so please bear with me..

But the other question remains - why are other dirs, such as /boot, which I didn't intend to export (but obviously I did!) mountable from the client?


----------



## big_girl (Jun 17, 2016)

Update: I noticed today when using a simplified /etc/exports file like this one:


```
/   -ro   -maproot=nobody:nogroup   -network   -10.0.200.100
V4: /
```

...that any client with any IP address is able to mount this share using `mount_nfs -o nfsv4` ...etc.

I expected that only a client with an IP of 10.0.200.100 would be able to mount the share, but no, anyone can mount it. 

So, why have the `-network` parameter in /etc/exports?


----------



## SirDice (Jun 21, 2016)

The first line only applies to NFSv2 and NFSv3. It does not apply to NFSv4.


----------



## big_girl (Jun 21, 2016)

Maybe I should rephrase my question.

I would like to export these directories: 
/etc /usr /bin /sbin /root


I would like to export them over NFSv4, only. 

I would like to export them to one IP, only. That is, 10.0.200.100.

What should my /etc/exports look like?


----------



## big_girl (Jul 27, 2016)

gpatrick said:


> Maybe (or not) this may help:
> https://forums.freebsd.org/threads/23526/



Thanks for that. I've seen that thread and read it many times. I'm beginning to think NFSv4 on FreeBSD doesn't really have any security at all unless paired with Kerberos and ACLs. (If anyone takes issue with that statement, please post your working /etc/exports for me to test).


----------



## Murph (Jul 27, 2016)

big_girl said:


> Thanks for that. I've seen that thread and read it many times. I'm beginning to think NFSv4 on FreeBSD doesn't really have any security at all unless paired with Kerberos and ACLs. (If anyone takes issue with that statement, please post your working /etc/exports for me to test).



NFS historically made essentially only minimal effort towards security (basic IP address host ACL per export, map root to nobody).  It comes from a model where both client and server were trusted (e.g. a large Unix network under common administration, a trusted network, and with most users generally not having any form of root access), and works extremely well in that model.  By not really concerning itself with security, it is fast and lightweight.  "Secure NFS" does exist for those who really need it.

In a controlled environment (e.g. a corporate network, the internal-only nets of an ISP, or a closed SAN), the basic insecure NFS still works very nicely, doing what it has done extremely well for decades.

IPSec can be a useful thing to pair with it if the hosts are trusted, but the network is not trusted.


----------



## coolhandluke (Jul 28, 2016)

In addition to what Murph pointed out, note that even a very basic firewall ruleset running on the server would prevent any unintended clients from being able to access your exported filesystems; cf. "defense in depth".

It's the reason every server I manage has a host-based firewall active, even those on closed networks and/or behind a firewall (and, in some cases, a few firewalls).

There's a reason NFS is sometimes said to be an acronym for "No F**king Security".


----------

