hi Chris, > I have a filesystem which is exported with "root=<host>", where host is > connected through a separate private network. I assumed that with this, > even NFS should be safe enough. Unfortunately, if you only specify > "root=", there appears to be an implied "rw" option.
The implied "rw" option is there because it is the default: if you share via NFS with neither rw nor ro, then rw to all is the default. The "root=" option is orthogonal to this, and controls whether the client root user is mapped on the server to the anon user (normally "nobody"), if root= is not used, or to root, if it is. I agree there's a possible confusion, that when you share with "root=", then "share" alone will not show you the "rw" that is also in effect, although I don't think the documentation is similarly confused? > Only by specifying "root=<host>,rw=<host>" does it behave as expected. > Otherwise, anyone can read and write to the filesystem. Yes, if you wish to restrict regular (non-root) access, you must use rw/ro, in addition to any use of root= to allow remote root access. best regards, calum.
