Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ames!oliveb!sun!gorodish!guy
From: guy@gorodish.Sun.COM (Guy Harris)
Newsgroups: comp.unix.wizards
Subject: Re: NFS Security:  a summary
Message-ID: <68464@sun.uucp>
Date: 15 Sep 88 05:50:24 GMT
References: <153@leibniz.UUCP> <43200038@uicsrd.csrd.uiuc.edu> <13457@mimsy.UUCP> <7070@bloom-beacon.MIT.EDU>
Sender: news@sun.uucp
Lines: 54

> By the way, last I checked, the side of the NFS protocol which checked
> read-only mounts was the client, not the server.  Don't fool yourself
> into thinking that you can export a partition read-only unless it is
> mounted read-only _on the server_...

I presume you mean "NFS implementation", not "NFS protocol".

The SunOS server code, at least, has checked for read-only mounts since at
least SunOS 3.2.  I don't know at which point these changes made it into the
"portable" NFS source code, or at what point various vendors picked it up.  I
think, however, that this was introduced into SunOS at the same time read-only
exports were introduced, so I would expect any system supporting read-only
exports to do the checks correctly.

Check "nfs_server.c", paying special attention to the "rdonly()" macro defined
at the beginning, which checks whether the file system is exported read-only,
and the procedures that implement operations that modify the file system, which
call "rdonly()" to make sure the file system wasn't exported read-only.

It works; at one point, I mounted a file system read-write which was mounted
read-write on the server but exported read-only.  Attempts to write to it got
EROFS.

> Un-UNIX like behavior: noticeable, but not particularly annoying.  The
> biggest problem is doing an "su" in a remote directory which isn't
> readable by "nobody".  The berkeley C shell exits SILENTLY if getwd()
> fails at startup time (I think the code may actually print an error
> message on stderr, but by that time the file descriptors may already
> have been moved ..)

Yes, this is a misfeature of the C shell.  Bob Gilligan here at Sun put a fix
into the 4.0 version; here is the "diff -c" listing for "sh.dir.c" (I make no
claim that this is correct; the innards of the C shell are one thing of which I
am largely blissfully ignorant):

*** /usr/src/bin/csh/sh.dir.c	Tue Jun 11 18:59:53 1985
--- ./sh.dir.c	Mon Sep 12 11:53:53 1988
***************
*** 37,43 ****
  	else {
  		cp = getwd(path);
  		if (cp == NULL) {
! 			(void) write(2, path, strlen(path));
  			exit(1);
  		}
  	}
--- 37,44 ----
  	else {
  		cp = getwd(path);
  		if (cp == NULL) {
! 			haderr = 1;
! 			printf ("%s\n", path);
  			exit(1);
  		}
  	}