Use subtree_check to reduce subtree attacks

... in the NFSv4 pseudo file system export. This can be modified via the `OMV_NFSD_V4_PSEUDO_ROOT_OPTIONS` environment variable.

Signed-off-by: Volker Theile <[email protected]>

deb/openmediavault/debian/changelog

@@ -4,6 +4,9 @@ openmediavault (7.4.6-1) stable; urgency=low
     Congdi 2.5-Inch USB 3.1 Type-C hard drive enclosures.
   * Add UDEV rule to fix the duplicate serial number issue for
     Insignia 2-Bay HDD docking stations.
+  * Use `subtree_check` to reduce subtree attacks in the NFSv4
+    pseudo file system export. This can be modified via the
+    `OMV_NFSD_V4_PSEUDO_ROOT_OPTIONS` environment variable.
 
  -- Volker Theile <[email protected]>   Mon, 19 Aug 2024 19:26:45 +0200
 

deb/openmediavault/debian/openmediavault.postinst

@@ -545,6 +545,9 @@ case "$1" in
 		if dpkg --compare-versions "$2" lt-nl "7.4.5"; then
 			omv_module_set_dirty apticron
 		fi
+		if dpkg --compare-versions "$2" lt-nl "7.4.6"; then
+			omv_module_set_dirty nfs
+		fi
 
 		########################################################################
 		# Trigger the restart of the omv-engined daemon to load and use the

deb/openmediavault/srv/salt/omv/deploy/nfs/files/etc-exports.j2

@@ -1,6 +1,6 @@
 {%- set separator = ' ' %}
 {%- set export_dir = salt['pillar.get']('default:OMV_NFSD_EXPORT_DIR', '/export') -%}
-{%- set pseudo_root_options = salt['pillar.get']('default:OMV_NFSD_V4_PSEUDO_ROOT_OPTIONS', 'ro,fsid=0,root_squash,no_subtree_check') -%}
+{%- set pseudo_root_options = salt['pillar.get']('default:OMV_NFSD_V4_PSEUDO_ROOT_OPTIONS', 'ro,fsid=0,root_squash,subtree_check') -%}
 {%- set pseudo_root_enabled = salt['pillar.get']('default:OMV_NFSD_V4_PSEUDO_ROOT_ENABLED', 'yes') -%}
 {%- set shares_distinct_sfref = salt['omv_conf.get_by_filter'](
   'conf.service.nfs.share',