zfs discuss - Dec 2010 - a single nfs file system shared out twice with different permissions

I am trying to configure a system where I have two different NFS shares
which point to the same directory.  The idea is if you come in via one path,
you will have read-only access and can''t delete any files, if you come
in
the 2nd path, then you will have read/write access.

For example, create the read/write nfs share:

zfs create tank/snapshots
zfs set sharenfs=on tank/snapshots

root at grok-zfs1:/# sharemgr show -vp
default nfs=()
zfs
    zfs/tank/snapshots nfs=()
          /tank/snapshots


I have had some luck doing it with Samba. 

Any pointers to making it work with NFS? 

Thanks,

Geoff

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> bounces at opensolaris.org] On Behalf Of Geoff Nordli
> 
> I am trying to configure a system where I have two different NFS shares
> which point to the same directory.  The idea is if you come in via one
path,
> you will have read-only access and can''t delete any files, if you
come in
> the 2nd path, then you will have read/write access.
I think you can do this client-side.

mkdir /foo1
mkdir /foo2
mount nfsserver:/exports/bar /foo1
mount -o ro nfsserver:/exports/bar /foo2

>-----Original Message-----
>From: Edward Ned Harvey
>[mailto:opensolarisisdeadlongliveopensolaris at nedharvey.com]
>Sent: Saturday, December 18, 2010 6:13 AM
>To: ''Geoff Nordli''; zfs-discuss at opensolaris.org
>Subject: RE: [zfs-discuss] a single nfs file system shared out twice with
different
>permissions
>
>> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
>> bounces at opensolaris.org] On Behalf Of Geoff Nordli
>>
>> I am trying to configure a system where I have two different NFS
>> shares which point to the same directory.  The idea is if you come in
>> via one
>path,
>> you will have read-only access and can''t delete any files, if
you come
>> in the 2nd path, then you will have read/write access.
>
>I think you can do this client-side.
>
>mkdir /foo1
>mkdir /foo2
>mount nfsserver:/exports/bar /foo1
>mount -o ro nfsserver:/exports/bar /foo2
Thanks Edward.

The client side solution works great. 

Happy holidays!!

Geoff

On Dec 17, 2010, at 11:09 PM, Geoff Nordli wrote:
> I am trying to configure a system where I have two different NFS shares
> which point to the same directory.  The idea is if you come in via one
path,
> you will have read-only access and can''t delete any files, if you
come in
> the 2nd path, then you will have read/write access.
> 
> For example, create the read/write nfs share:
> 
> zfs create tank/snapshots
> zfs set sharenfs=on tank/snapshots
"on" by default sets the NFS share parameters to: "rw"
You can set specific NFS share parameters by using a string that 
contains the parameters.  For example, 

	zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system

sets readonly access for host 192.168.12.14 and read/write access
for 192.168.12.13.

For more info see the man page for share_nfs(1m)
 -- richard
> 
> root at grok-zfs1:/# sharemgr show -vp
> default nfs=()
> zfs
>    zfs/tank/snapshots nfs=()
>          /tank/snapshots
> 
> 
> I have had some luck doing it with Samba. 
> 
> Any pointers to making it work with NFS? 
> 
> Thanks,
> 
> Geoff 
> 
> 
> 
> 
> 
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

On 18/12/2010 07:09, Geoff Nordli wrote:
> I am trying to configure a system where I have two different NFS shares
> which point to the same directory.  The idea is if you come in via one
path,
> you will have read-only access and can''t delete any files, if you
come in
> the 2nd path, then you will have read/write access.
That sounds very similar to what you would do with Trusted Extensions. 
The read/write label would be a higher classification than the read-only 
one - since you can read down, can''t see higher and need to be equal to
modify.

For more information on Trusted Extensions start with these resources:


Oracle Solaris 11 Express Trusted Extensions Collection
					
	http://docs.sun.com/app/docs/coll/2580.1?l=en

OpenSolaris Security Community pages on TX:

http://hub.opensolaris.org/bin/view/Community+Group+security/tx

-- 
Darren J Moffat

> From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss-
> bounces at opensolaris.org] On Behalf Of Richard Elling
> 
> > zfs create tank/snapshots
> > zfs set sharenfs=on tank/snapshots
> 
> "on" by default sets the NFS share parameters to: "rw"
> You can set specific NFS share parameters by using a string that
> contains the parameters.  For example,
> 
> 	zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system
> 
> sets readonly access for host 192.168.12.14 and read/write access
> for 192.168.12.13.
Yeah, but for some reason, the OP didn''t want to make it readonly for
different clients ... He wanted a single client to have it mounted twice on
two different directories, one with readonly, and the other with read-write.

I guess he has some application he can imprison into a specific read-only
subdirectory, while some other application should be able to read/write or
something like that, using the same username, on the same machine.

>From: Edward Ned Harvey
>Sent: Monday, December 20, 2010 9:25 AM
>Subject: RE: [zfs-discuss] a single nfs file system shared out twice with
different
>permissions
>
>> From: Richard Elling
>>
>> > zfs create tank/snapshots
>> > zfs set sharenfs=on tank/snapshots
>>
>> "on" by default sets the NFS share parameters to:
"rw"
>> You can set specific NFS share parameters by using a string that
>> contains the parameters.  For example,
>>
>> 	zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14 my/file/system
>>
>> sets readonly access for host 192.168.12.14 and read/write access for
>> 192.168.12.13.
>
>Yeah, but for some reason, the OP didn''t want to make it readonly
for
different
>clients ... He wanted a single client to have it mounted twice on two
different
>directories, one with readonly, and the other with read-write.
>
>I guess he has some application he can imprison into a specific read-only
>subdirectory, while some other application should be able to read/write or
>something like that, using the same username, on the same machine.
It is the same application, but for some functions it needs to use read-only
access or it will modify the files when I don''t want it to. 

Have a great day!

Geoff

On Dec 20, 2010, at 11:26 AM, "Geoff Nordli" <geoffn at
gnaa.net> wrote:
>> From: Edward Ned Harvey
>> Sent: Monday, December 20, 2010 9:25 AM
>> Subject: RE: [zfs-discuss] a single nfs file system shared out twice
with
> different
>> permissions
>> 
>>> From: Richard Elling
>>> 
>>>> zfs create tank/snapshots
>>>> zfs set sharenfs=on tank/snapshots
>>> 
>>> "on" by default sets the NFS share parameters to:
"rw"
>>> You can set specific NFS share parameters by using a string that
>>> contains the parameters.  For example,
>>> 
>>>    zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14
my/file/system
>>> 
>>> sets readonly access for host 192.168.12.14 and read/write access
for
>>> 192.168.12.13.
>> 
>> Yeah, but for some reason, the OP didn''t want to make it
readonly for
> different
>> clients ... He wanted a single client to have it mounted twice on two
> different
>> directories, one with readonly, and the other with read-write.
Is someone suggesting my solution won''t work? Or are they just not
up to the challenge? :-)
>> I guess he has some application he can imprison into a specific
read-only
>> subdirectory, while some other application should be able to read/write
or
>> something like that, using the same username, on the same machine.
> 
> It is the same application, but for some functions it needs to use
read-only
> access or it will modify the files when I don''t want it to. 
Sounds like a simple dtrace script should do the trick, too.
 -- richard

>From: Richard Elling 
>Sent: Monday, December 20, 2010 8:14 PM
>Subject: Re: [zfs-discuss] a single nfs file system shared out twice with
different
>permissions
>
>On Dec 20, 2010, at 11:26 AM, "Geoff Nordli" <geoffn at
gnaa.net> wrote:
>
>>> From: Edward Ned Harvey
>>> Sent: Monday, December 20, 2010 9:25 AM
>>> Subject: RE: [zfs-discuss] a single nfs file system shared out
twice
>>> with
>> different
>>> permissions
>>>
>>>> From: Richard Elling
>>>>
>>>>> zfs create tank/snapshots
>>>>> zfs set sharenfs=on tank/snapshots
>>>>
>>>> "on" by default sets the NFS share parameters to:
"rw"
>>>> You can set specific NFS share parameters by using a string
that
>>>> contains the parameters.  For example,
>>>>
>>>>    zfs set sharenfs=rw=192.168.12.13,ro=192.168.12.14
my/file/system
>>>>
>>>> sets readonly access for host 192.168.12.14 and read/write
access
>>>> for 192.168.12.13.
>>>
>>> Yeah, but for some reason, the OP didn''t want to make it
readonly for
>> different
>>> clients ... He wanted a single client to have it mounted twice on
two
>> different
>>> directories, one with readonly, and the other with read-write.
>
>Is someone suggesting my solution won''t work? Or are they just not
up to
the
>challenge? :-)
>
It won''t work :) 

The challenge is exporting two shares from the same folder.  Linux has a
"bind" command which will make this work, but from what I can see
there
isn''t an equivalent on OpenSolaris.  

This isn''t a big deal though; I can make it work using CIFS.   It
isn''t
something that has to be NFS, but I thought I would ask to see if there was
a simple solution I was missing.   
>>> I guess he has some application he can imprison into a specific
>>> read-only subdirectory, while some other application should be able
>>> to read/write or something like that, using the same username, on
the
same
>machine.
>>
>> It is the same application, but for some functions it needs to use
>> read-only access or it will modify the files when I don''t want
it to.
>
>Sounds like a simple dtrace script should do the trick, too.
Unfortunately, there isn''t anything I can do about the application, and
it
really isn''t a big deal.  There is a pretty straight forward
workaround.


Have a great day!

Geoff

>From: Darren J Moffat 
>Sent: Monday, December 20, 2010 4:15 AM
>Subject: Re: [zfs-discuss] a single nfs file system shared out twice with
different
>permissions
>
>On 18/12/2010 07:09, Geoff Nordli wrote:
>> I am trying to configure a system where I have two different NFS
>> shares which point to the same directory.  The idea is if you come in
>> via one path, you will have read-only access and can''t delete
any
>> files, if you come in the 2nd path, then you will have read/write
access.
>
>That sounds very similar to what you would do with Trusted Extensions.
>The read/write label would be a higher classification than the read-only
one -
>since you can read down, can''t see higher and need to be equal to
modify.
>
>For more information on Trusted Extensions start with these resources:
>
>
>Oracle Solaris 11 Express Trusted Extensions Collection
>
>	http://docs.sun.com/app/docs/coll/2580.1?l=en
>
>OpenSolaris Security Community pages on TX:
>
>http://hub.opensolaris.org/bin/view/Community+Group+security/tx
>
Darren, thanks for the suggestion.  I think I am going to go back to using
CIFS.   It seems to be quite a bit simpler than what I am looking at with
NFS.

Have a great day!

Geoff

On 20/12/2010 19:26, Geoff Nordli wrote:
>> I guess he has some application he can imprison into a specific
read-only
>> subdirectory, while some other application should be able to read/write
or
>> something like that, using the same username, on the same machine.
>
> It is the same application, but for some functions it needs to use
read-only
> access or it will modify the files when I don''t want it to.
An other alterntative is if the application is running on Solaris then 
you can run it with the basic file_write privilege removed.  This basic 
privilege was added for exactly this type of use case.

$ ppriv -e -s EPIL=basic,!file_write myapp

If it is being started by an SMF service you can remove file_write in 
the method_credential section - see smf_method(5).

-- 
Darren J Moffat