restrict a host's access to a single subdirectory within a filesystem, though other systems can access the entire filesystem - NFS

This is a discussion on restrict a host's access to a single subdirectory within a filesystem, though other systems can access the entire filesystem - NFS ; Hi, I'm using Solaris 8... Is there a way to restrict a single host's access to an NFS shared filesystem to ONLY a single subdirectory within that filesystem even though other hosts have access to the entire filesystem? eg. Host ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: restrict a host's access to a single subdirectory within a filesystem, though other systems can access the entire filesystem

  1. restrict a host's access to a single subdirectory within a filesystem, though other systems can access the entire filesystem

    Hi,

    I'm using Solaris 8...

    Is there a way to restrict a single host's access to an NFS shared
    filesystem to ONLY a single subdirectory within that filesystem even
    though other hosts have access to the entire filesystem?

    eg.

    Host "hostN" contains and shares via NFS the filesystem.

    /export NFS shared filesystem (ie. hostN shares it)
    hosts hostA and hostB have rw access to the
    filesystem when they mount it.

    /export/temp a subdirectory within the filesystem.
    I want hostC to have access to only this
    subdir. (ro or rw or whatever.)

    Thanks.


  2. Re: restrict a host's access to a single subdirectory within a filesystem,though other systems can access the entire filesystem

    harris wrote:

    > Is there a way to restrict a single host's access to an NFS shared
    > filesystem to ONLY a single subdirectory within that filesystem even
    > though other hosts have access to the entire filesystem?


    Traditionally you were not allowed to export a subdirectory of another
    export point.

    I believe you could export multiple directories from a host file system.

    Given your example, normally you would export /export. Instead you
    could separately export

    /export/temp
    /export/x
    /export/y
    /export/z
    etc.

    That is, all directories in /export.

    NFS has been changing, so this may not be true anymore, and I
    may have remembered it wrong.

    -- glen


  3. Re: restrict a host's access to a single subdirectory within a filesystem, though other systems can access the entire filesystem



    harris wrote:
    > Hi,
    >
    > I'm using Solaris 8...
    >
    > Is there a way to restrict a single host's access to an NFS shared
    > filesystem to ONLY a single subdirectory within that filesystem even
    > though other hosts have access to the entire filesystem?
    >
    > eg.
    >
    > Host "hostN" contains and shares via NFS the filesystem.
    >
    > /export NFS shared filesystem (ie. hostN shares it)
    > hosts hostA and hostB have rw access to the
    > filesystem when they mount it.
    >
    > /export/temp a subdirectory within the filesystem.
    > I want hostC to have access to only this
    > subdir. (ro or rw or whatever.)


    Solaris does not permit the export of an ancestor and descendent
    directory
    that are in the same file system.

    Note that even if an NFS server allowed that, the semi-skilled attacker
    could produce a file handle that allows hostA in your example to
    access /export/temp. And some NFS servers do allow the export of
    an ancestor and descendent directory, but if the client mounts the
    ancestor, the export permissions of the descendent are ignored.

    >
    > Thanks.



+ Reply to Thread