[PATCH 0/5] Dynamic Pseudo Root

J. Bruce Fields bfields at fieldses.org
Tue Feb 19 15:21:39 EST 2008 

On Tue, Feb 19, 2008 at 03:07:16PM -0500, Trond Myklebust wrote:
> 
> On Tue, 2008-02-19 at 14:58 -0500, J. Bruce Fields wrote:
> > On Tue, Feb 19, 2008 at 02:37:05PM -0500, Trond Myklebust wrote:
> > > 
> > > On Tue, 2008-02-19 at 14:09 -0500, J. Bruce Fields wrote:
> > > 
> > > > I lost you with the "per-_user_" thing.  Could you give an example?
> > > > 
> > > > Are you expecting that something like
> > > > 
> > > > 	/foo/bar        client1(sec=krb5)
> > > > 	/foo/bar/baz    client1(sec=sys:krb5)
> > > > 
> > > > would result in client1 being allowed to do a krb5 nfsv4 readdir on
> > > > /foo/bar and get a directory with just "baz"?
> > > 
> > > You mean an AUTH_SYS readdir, right?
> > 
> > Whoops, yes.
> > 
> > > Yes, that's the case I'm thinking of.
> > > 
> > > > I would have expected such a readdir to just get wrongsec.
> > > 
> > > Why? As far as the auth_sys user is concerned, he is just walking
> > > through a pseudo-fs in order to access the directory 'baz'. The
> > > equivalent in NFSv3-speak would be to do
> > > 
> > >         showmount -e server
> > >         mount server:/foo/bar/baz /mnt
> > > 
> > > which is run-of-the-mill stuff for autofs.
> > 
> > If a parent is exported with access that the child isn't, there's a
> > tradeoff:
> > 
> > 	- If you allow just the limited access required to get to the
> > 	  child, then you lose the ability of the automatic security
> > 	  negotiation to negotiate access to the parent, since the
> > 	  client may never get a wrongsec error.
> > 
> > 	- If you shut off access completely, then you end up permitting
> > 	  access only to clients that are able to negotiate the access
> > 	  required to traverse the parent (unless the client talks to
> > 	  mountd or guesses a filehandle).
> > 
> > Yeah, the first option seems more useful overall.
> > 
> > But have you looked, e.g., at 2.6.3.1. "put Filehandle Operation +
> > LOOKUP" of draft 19?  Here and elsewhere the working group seems to be
> > assume that security policies always apply directory-wide.
> 
> One way of reconciling this with the pseudo-fs approach would be to
> allow READDIR to succeed for the AUTH_SYS case too,

Where by "succeed" you mean return all entries, even those not needed to
access child exports?

> but to return NFS4ERR_WRONGSEC if the client attempts to retrieve any
> attributes or filehandles for those names.

So they could traverse to the child filesystem but still likely get a
wrongsec error fairly quickly if they mount the parent.  OK, maybe.

--b.

More information about the NFSv4 mailing list