[PATCH 0/5] Dynamic Pseudo Root

Trond Myklebust trond.myklebust at fys.uio.no
Tue Feb 19 15:57:58 EST 2008 

On Tue, 2008-02-19 at 15:21 -0500, J. Bruce Fields wrote:
> On Tue, Feb 19, 2008 at 03:07:16PM -0500, Trond Myklebust wrote:
> > 
> > On Tue, 2008-02-19 at 14:58 -0500, J. Bruce Fields wrote:
> > > On Tue, Feb 19, 2008 at 02:37:05PM -0500, Trond Myklebust wrote:
> > > > 
> > > > On Tue, 2008-02-19 at 14:09 -0500, J. Bruce Fields wrote:
> > > > 
> > > > > I lost you with the "per-_user_" thing.  Could you give an example?
> > > > > 
> > > > > Are you expecting that something like
> > > > > 
> > > > > 	/foo/bar        client1(sec=krb5)
> > > > > 	/foo/bar/baz    client1(sec=sys:krb5)
> > > > > 
> > > > > would result in client1 being allowed to do a krb5 nfsv4 readdir on
> > > > > /foo/bar and get a directory with just "baz"?
> > > > 
> > > > You mean an AUTH_SYS readdir, right?
> > > 
> > > Whoops, yes.
> > > 
> > > > Yes, that's the case I'm thinking of.
> > > > 
> > > > > I would have expected such a readdir to just get wrongsec.
> > > > 
> > > > Why? As far as the auth_sys user is concerned, he is just walking
> > > > through a pseudo-fs in order to access the directory 'baz'. The
> > > > equivalent in NFSv3-speak would be to do
> > > > 
> > > >         showmount -e server
> > > >         mount server:/foo/bar/baz /mnt
> > > > 
> > > > which is run-of-the-mill stuff for autofs.
> > > 
> > > If a parent is exported with access that the child isn't, there's a
> > > tradeoff:
> > > 
> > > 	- If you allow just the limited access required to get to the
> > > 	  child, then you lose the ability of the automatic security
> > > 	  negotiation to negotiate access to the parent, since the
> > > 	  client may never get a wrongsec error.
> > > 
> > > 	- If you shut off access completely, then you end up permitting
> > > 	  access only to clients that are able to negotiate the access
> > > 	  required to traverse the parent (unless the client talks to
> > > 	  mountd or guesses a filehandle).
> > > 
> > > Yeah, the first option seems more useful overall.
> > > 
> > > But have you looked, e.g., at 2.6.3.1. "put Filehandle Operation +
> > > LOOKUP" of draft 19?  Here and elsewhere the working group seems to be
> > > assume that security policies always apply directory-wide.
> > 
> > One way of reconciling this with the pseudo-fs approach would be to
> > allow READDIR to succeed for the AUTH_SYS case too,
> 
> Where by "succeed" you mean return all entries, even those not needed to
> access child exports?

Return all _names_ allowed by the most permissive export option (but
return WRONGSEC if the client attempts to retrieve more than just the
name).

More information about the NFSv4 mailing list