[PATCH 0/5] Dynamic Pseudo Root
J. Bruce Fields
bfields at fieldses.org
Tue Feb 19 14:58:16 EST 2008
On Tue, Feb 19, 2008 at 02:37:05PM -0500, Trond Myklebust wrote:
>
> On Tue, 2008-02-19 at 14:09 -0500, J. Bruce Fields wrote:
>
> > I lost you with the "per-_user_" thing. Could you give an example?
> >
> > Are you expecting that something like
> >
> > /foo/bar client1(sec=krb5)
> > /foo/bar/baz client1(sec=sys:krb5)
> >
> > would result in client1 being allowed to do a krb5 nfsv4 readdir on
> > /foo/bar and get a directory with just "baz"?
>
> You mean an AUTH_SYS readdir, right?
Whoops, yes.
> Yes, that's the case I'm thinking of.
>
> > I would have expected such a readdir to just get wrongsec.
>
> Why? As far as the auth_sys user is concerned, he is just walking
> through a pseudo-fs in order to access the directory 'baz'. The
> equivalent in NFSv3-speak would be to do
>
> showmount -e server
> mount server:/foo/bar/baz /mnt
>
> which is run-of-the-mill stuff for autofs.
If a parent is exported with access that the child isn't, there's a
tradeoff:
- If you allow just the limited access required to get to the
child, then you lose the ability of the automatic security
negotiation to negotiate access to the parent, since the
client may never get a wrongsec error.
- If you shut off access completely, then you end up permitting
access only to clients that are able to negotiate the access
required to traverse the parent (unless the client talks to
mountd or guesses a filehandle).
Yeah, the first option seems more useful overall.
But have you looked, e.g., at 2.6.3.1. "put Filehandle Operation +
LOOKUP" of draft 19? Here and elsewhere the working group seems to be
assume that security policies always apply directory-wide.
--b.
More information about the NFSv4
mailing list