On Thu, Jan 21, 2021 at 02:01:13PM -0600, Patrick Goetz wrote: > I didn't respond to this message immediately, but it's been > bothering me ever since. When I do a bind mount like this in > /etc/fstab: > > /data2/xray /srv/nfs/xray none defaults,bind 0 > > it's my understanding that the kernel keeps track of the resulting > /srv/nfs/xray filesystem in it's vfs somehow. Even when directly on > the server I can't "break out" of /srv/nfs/xray to get to the other > directories in /data. Then how on earth would an NFS client do > this? As I said, NFS allows you to look up objects by filehandle (so, basically by inode number), not just by path. Also, note, mounting something over a directory doesn't hide what's under the mountpoint. And it's unwise to depend on directory permissions alone to hide contents of anything underneath that directory. > I thought the whole point of doing a bind mount like this is to > solve the problem of exporting leaves of a directory hierarchy. In > particular, > > "So in your example, if /data2/xray is on the same filesystem as > /data2, then the server will happily allow operations on > filehandles anywhere in /data2." > > Yes, sure; but I'm not exporting /data2/xray; I'm exporting > /srv/nfs/xray, a bind mount to the preceding. Am I missing > something, or is NFS too insecure to use in any context requiring > differentiated security settings on different folders in the same > directory structure? Definitely do *not* depend on NFS to enforce different export options on different subdirectories of the same filesystem. > It's not practical to making everything you export its own partition; > although I suppose one could do this with ZFS datasets. I'd be happy to hear about any use cases where that's not practical. As Christophe pointed out, xfs/ext4 project ids are another option. --b.