lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <fcbf9e82-536b-7144-612a-7fe22e96dc59@in.tum.de>
Date:   Thu, 24 Aug 2017 16:04:01 +1000
From:   Lukas Erlacher <erlacher@...tum.de>
To:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: No option for client bind address in NFS?

Hello,

after reading the NFS(5) manpage and doing some searching through the 
mailing list archive (of course, due to it being ubiquitous in posted 
logs, searching for "addr" and "clientaddr" was a bit hopeless) I have 
come to conclude that NFS does not have an option for explicitly 
specifying an address for the client socket to bind to.

This is problematic for my usecase, which is "securing" NFS shares by 
exporting them to specific client hostnames only.

Most of my NFS client machines have multiple IP addresses and since 
configuring IP addresses and routes on debian-ish systems can be quite 
an art, I don't want to trust on the default route going via the correct 
IP so that the NFS server recognizes the host; I also don't want to go 
to the effort of having the shares exported to every possible IP that 
might be configured on the client.

Most utilities (e.g. ping, dig) have an option to specify an explicit 
client socket bind address.

Why doesn't NFS have that? (As I understand it, the clientaddr option 
firstly is only interpreted by NFSv4 and secondly, is not the bind 
address but only used by the server for callbacks)

For reference, my NFS server are Ubuntu 14.04/16.04 VMs using the 
nfs-kernel-server package, as well as Solaris machines using the 
"sharenfs" option on ZFS pools; my clients are Ubuntu 14.04/16.04 VMs 
using nfs-common package.

Best,

Lukas Erlacher
RBG Systemgruppe
Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik
Technische Universität München


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5167 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ