mountd

J. Bruce Fields bfields at fieldses.org
Wed Jul 12 16:49:12 EDT 2006 

On Tue, Jul 11, 2006 at 01:12:10PM -0400, bfields wrote:
> On Tue, Jul 11, 2006 at 10:09:47AM -0700, Jane Chiu wrote:
> >    I think the result of the diff could be due to my sprinkling a bunch of
> > syslog warnings to figure out the source code.
> 
> No, it's not just syslogs--look at the diff--there's a lot of code added
> and deleted that has nothing to do with your work.

(I should point out--the diffs we send around are primarily for
consumption by humans, only secondarily by patch.  So it's worth reading
through the patches you produce to make sure they "say" what you mean
them to.)

By the way, appended are two diffs from Fred implementing a very basic
form of the secinfo parsing.  These are rough drafts but should give you
something to work against.

The first is a patch against the kernel which allows nfs-utils to pass
down the secinfo information.

The second is a patch to nfs-utils which parses sec= lines in
/etc/exports and passes the secinfo information to the kernel.

So the two pieces left to do are

	1. Kernel code to use the secinfo information to authorize rpc
	requests.
	2. Kernel code to generate the secinfo information.  (Usha
	Ketineni has done most of this, it just needs updating to use
	this new information.)
	3. Figure out what more needs to be done to satisfy rfc2623.

I'm working on #1 and #2, so it's #3 we're counting on you for.

So after Fred's patches, a user can replace

	/exports	gss/krb5(rw,...)

by

	/exports	*.example.com(rw,sec=krb5,...)

which allows mountd to authenticate incoming auth_sys and auth_null
requests for krb5-protected exports just as like any other requests.  (I
think--does rfc2623 say that mountd allows *all* mount protocol requests
for krb5-exported filesystems, or are some disallowed?)

We also need to identify which NFS operations which (the kernel) will
have to allow in that case even without authentication.

And we need to adjust the list of psuedoflavors returned by the MNT
procedure so it reflects the information given in /etc/exports, so that
security negotiation works for v2/v3.

--b.

More information about the NFSv4 mailing list