[PATCH 0/5] Dynamic Pseudo Root
Frank Filz
ffilzlnx at us.ibm.com
Tue Feb 19 15:55:10 EST 2008
On Tue, 2008-02-19 at 15:07 -0500, Trond Myklebust wrote:
> One way of reconciling this with the pseudo-fs approach would be to
> allow READDIR to succeed for the AUTH_SYS case too, but to return
> NFS4ERR_WRONGSEC if the client attempts to retrieve any attributes or
> filehandles for those names.
One problem with that is should this special case be any different than
another case:
/export *(sec=krb5)
/export/f/foo foo_client(sec=sys:krb5)
Now foo_client has to be able to lookup f in /export to be able to get
to the private export foo. This suggests that it only makes sense for
pseudo root to be exported with at least read access to the most
permissive security flavors used across the system.
Frank
More information about the NFSv4
mailing list