Bug 210957 - [PATCH] mountd(8): reject /etc/exports lines where the first field(s) end with a /
Summary: [PATCH] mountd(8): reject /etc/exports lines where the first field(s) end wit...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.3-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-07-10 09:44 UTC by Derek Schrock
Modified: 2018-08-12 14:39 UTC (History)
0 users

See Also:


Attachments
reject FS fields that end with a / update exports man page (1.07 KB, patch)
2016-07-10 09:44 UTC, Derek Schrock
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Derek Schrock 2016-07-10 09:44:08 UTC
Created attachment 172306 [details]
reject FS fields that end with a / update exports man page

If the last character in the file system fields (the first set of fields) from /etc/exports ends with a / (other than root) then the exported nfs file system can't be mounted on a remote system.

mountd(8) happily accepts lines from /etc/exports if the last character in the file system fields is /.  Other than / itself are there any valid cases where the fs field should/can end with a /?

NFS Server(nfssrv):
# cat /etc/exports 
/mnt/backups/isos -ro -mapall=nobody -network 10.....

NFS Client(nfscli):
$ sudo mount nfssrv:/mnt/backups/isos/  /tmp/
mount_nfs: can't mount /mnt/backups/isos/ from nfssrv onto /private/tmp: Permission denied

NFS Server rejecting a line with a FS ending with a /:
..... mountd[66457]: bad exports list line /mnt/backups/isos/

With patch mountd

NFS Server from /var/log/messages:
........ mountd[17841]: mount request denied from nfscli for /mnt/backups/isos


Removing the / fixes the issue.

See the attached patch to update mountd.c:check_dirpath to reject lines and exports.5 explaining file system fields shouldn't end with / other than root.

I have only tested the patch with 10.3-RELEASE (nfs server) and Mac OS X (client).  It seems this isn't a client issue (same problem with Linux NFS clients) based off other forum posts.

Also, it appears the patch should apply to (10|11)-STABLE and CURRENT.