Small patch to nfs.5 manpage

[Olaf Kirch <okir@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

Hi Andries,

As the limitation on the number of auxiliary groups obviously
baffles people again and again, I thought it might be useful
to document this limitation in nfs(5).

Please find attached a small patch to nfs.5 that adds a small
section on NFS authentication. It also updates the manpage
slightly: cto and tcp are implemented now, and broken_suid
was missing.

Cheers,
Olaf
-- 
Olaf Kirch     |  Stop wasting entropy - start using predictable
okir@suse.de   |  tempfile names today!
---------------+ 

[-- Attachment #2: nfs-auth-doc.patch --]
[-- Type: text/plain, Size: 2544 bytes --]

--- util-linux-2.12/mount/nfs.5.okir	2004-03-22 16:26:31.000000000 +0100
+++ util-linux-2.12/mount/nfs.5	2004-03-22 16:43:38.000000000 +0100
@@ -213,10 +213,45 @@
 NFS version 3. (On NFS version 2 filesystems this option has no effect.)
 This option also deactivates the GETACL and SETACL remote procedure calls
 which are otherwise used to manipulate ACLs.
+.TP 1.5i
+.I broken_suid
+This option tries to help applications that are a little careless
+in dealing with effective vs real user and group ID. See below in
+section
+.IR "NFS Authentication" .
 .P
 All of the non-value options have corresponding nooption forms.
 For example, nointr means don't allow file operations to be
 interrupted.
+.SS NFS Authentication
+NFS currently supports only the AUTH_SYS RPC authentication flavor,
+which basically transmits the user's user and group ID to the server,
+along with the list of supplementary groups. However, this doesn't
+transport the full set of user credentials to the server, so that some
+operations may fail with a permission error, which would have succeeded
+on a local file system.
+.P
+One limitation of AUTH_SYS authentication is that not the full set of
+user and group ids are transmitted. By default, only the fsuid and fsgid
+and the auxiliary group vector are transmitted. (fsuid and fsgid mostly
+reflect the effective uid and gid, but can differ in special cases,
+see
+.BR setfsuid (2)
+for details).
+.P
+If this behavior causes certain applications to break, it may help to
+enable the
+.B broken_suid
+mount option. This tells the NFS client to retry an operation with
+the real uid and gid if it fails using the fsuid and fsgid.
+.P
+Another common problem occurs when users have a large number of
+auxiliary groups. The AUTH_SYS flavor limits the number of auxiliary
+groups that can be transmitted to 16. Additional groups are simply
+ignored, and may cause operations to fail which would otherwise be
+allowed based on the user's group membership.
+The only fix for this problem is to limit the number of groups the user
+is part of.
 .SH FILES
 .I /etc/fstab
 .SH "SEE ALSO"
@@ -224,11 +259,7 @@
 .SH AUTHOR
 "Rick Sladkey" <jrs@world.std.com>
 .SH BUGS
-The posix, and nocto options are parsed by mount
-but currently are silently ignored.
-.P
-The tcp and namlen options are implemented but are not currently
-supported by the Linux kernel.
+The posix option is parsed by mount but is currently ignored by the kernel.
 .P
 The umount command should notify the server
 when an NFS filesystem is unmounted.