[PATCH 0/5] Dynamic Pseudo Root

Trond Myklebust trond.myklebust at fys.uio.no
Tue Feb 19 15:07:16 EST 2008 

On Tue, 2008-02-19 at 14:58 -0500, J. Bruce Fields wrote:
> On Tue, Feb 19, 2008 at 02:37:05PM -0500, Trond Myklebust wrote:
> > 
> > On Tue, 2008-02-19 at 14:09 -0500, J. Bruce Fields wrote:
> > 
> > > I lost you with the "per-_user_" thing.  Could you give an example?
> > > 
> > > Are you expecting that something like
> > > 
> > > 	/foo/bar        client1(sec=krb5)
> > > 	/foo/bar/baz    client1(sec=sys:krb5)
> > > 
> > > would result in client1 being allowed to do a krb5 nfsv4 readdir on
> > > /foo/bar and get a directory with just "baz"?
> > 
> > You mean an AUTH_SYS readdir, right?
> 
> Whoops, yes.
> 
> > Yes, that's the case I'm thinking of.
> > 
> > > I would have expected such a readdir to just get wrongsec.
> > 
> > Why? As far as the auth_sys user is concerned, he is just walking
> > through a pseudo-fs in order to access the directory 'baz'. The
> > equivalent in NFSv3-speak would be to do
> > 
> >         showmount -e server
> >         mount server:/foo/bar/baz /mnt
> > 
> > which is run-of-the-mill stuff for autofs.
> 
> If a parent is exported with access that the child isn't, there's a
> tradeoff:
> 
> 	- If you allow just the limited access required to get to the
> 	  child, then you lose the ability of the automatic security
> 	  negotiation to negotiate access to the parent, since the
> 	  client may never get a wrongsec error.
> 
> 	- If you shut off access completely, then you end up permitting
> 	  access only to clients that are able to negotiate the access
> 	  required to traverse the parent (unless the client talks to
> 	  mountd or guesses a filehandle).
> 
> Yeah, the first option seems more useful overall.
> 
> But have you looked, e.g., at 2.6.3.1. "put Filehandle Operation +
> LOOKUP" of draft 19?  Here and elsewhere the working group seems to be
> assume that security policies always apply directory-wide.

One way of reconciling this with the pseudo-fs approach would be to
allow READDIR to succeed for the AUTH_SYS case too, but to return
NFS4ERR_WRONGSEC if the client attempts to retrieve any attributes or
filehandles for those names.

Cheers
  Trond

More information about the NFSv4 mailing list