[lug] Sun Client Redhat AS3 NFS Probs

Jeffrey A. St. Pierre Jasp2 at Colorado.EDU
Mon May 17 12:15:12 MDT 2004 

On Mon, 17 May 2004, D. Stimits wrote:

> > 
> > OK, so you are telling me that every exported filesystem requires
> > a quota file?  So I have three choices 1. to turn rquotad off 2.
> > put every single exported filesystem under quota control, or 3.  
> > deal with errors
> > 
> 
> At least for testing. Until you know for sure what is happening, it's 
> one way to figure it out.
> 
> > To me that would seem like a massive oversight in whoever wrote
> > 'quota'.  I mean, what if I only want quotas on my home
> > directories but not my project directories?  Anyway... let's give
> > it a try.  Odds are you guys know more than I do about this
> > stuff.
> > 
> 
> Quota is a facet of security. Denial of service through remote 
> filesystem exploit to fill up the drive with nonsense is one example. 
> The whole point of quota is that you can't find a way around it if it is 
> active. If either you have the feature added in, or if the filesystem 
> type requires the feature, then a logged warning is pretty mild.
> 

Well, it really could be a mess.  I had just one of almost 100
projects moved to the new NFS server, and it was seriously
filling up my logs.  Now, if this really is a security issue, am
I really better off having the quota files setup but no actual
quotas set?  I only want quotas on the home directories (which
haven't been moved yet, but will be) and I want the researchers
(the users) to be able to fill their projects right to capacity
if they so desire.  Quotas as part of protecting filesystem
overflows seems more applicable to /var which generally isn't
exported, so rquotad wouldn't notice it.  Also, I don't know of
anyone who applies quotas to /var... Maybe I'm missing the point,
or not making my own clear.  Here are the pieces of the puzzle as
I see it.

A.  I want rquotad on because /export/home will have quotas on it
that people want to check from client systems.

B.  I am also exporting /export/projXX which I don't want quotas
on them.

C.  I still need setup quota files for the /export/projXX drives
and mount them with quota options turned on, because otherwise
everytime any user on any client runs a 'quota -v' every mounted
directory without quotas will generate errors on the server.

Don't make sense to me, and I'm not convinced quotas are a facet
of security.  I think it is better classified as a facet of
controling the users, which may have security issues.

> > Thanks much to everyone who gave me input on this.  However, I
> > still feel this is a bit of a bug.  If there are no quotas setup
> > for a particular filesystem, doesn't it make more sense for the
> > daemon to just ignore the request for that filesystem, rather
> > than filling the messeges file with ambiguous errors? I mean
> > 'rpc.rquotad: Can't find filesystem mountpoint for directory
> > /export/rd02/diag' seems unrelated to the actual problem.  If
> > it insists on giving an error, don't you think 'No quota files
> > for filesystem /mnt/filesystem' would be a better error
> > message? Do you think I should report this to the developers?
> 
> Error messages being either misleading or lacking detail has been a 
> problem since the beginning of computers. A better error message might 
> be something worth mentioning to the developers. If this were something 
> you'd seen before, you could go right to the fix, so to the developers 
> the message probably isn't misleading until they hear from someone that 
> had the problem while also unfamiliar with the setup.
> 
> D. Stimits, stimits AT comcast DOT net
> _______________________________________________
> 

Ok... That makes sense, I may submit a bug report just to improve
the error messages.  

Thanks again,

-Jeff

More information about the LUG mailing list