From: "J. Bruce Fields" <bfields@fieldses.org>
To: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Per Olofsson <pelle@dsv.su.se>, Paul Jakma <paul@clubi.ie>,
nfs@lists.sourceforge.net
Subject: Re: NFSv3+Krb5 and mountd
Date: Mon, 30 Aug 2004 14:04:02 -0400 [thread overview]
Message-ID: <20040830180402.GE1555@fieldses.org> (raw)
In-Reply-To: <1093887933.8729.35.camel@lade.trondhjem.org>
On Mon, Aug 30, 2004 at 01:45:33PM -0400, Trond Myklebust wrote:
> På må , 30/08/2004 klokka 13:17, skreiv J. Bruce Fields:
>
> > I believe (can't find the right language now) that RFC2623 says it's OK
> > for the server to allow the client to do MOUNT requests and a few
> > filesystem requests (sufficient for statfs) without rpcsec_gss, even on
> > rpcsec_gss exports. Our server and mountd currently do *not* do that.
>
> Right. The RFC says that the NFS server should allow AUTH_SYS
> authenticated NFSPROC3_FSINFO (NFSv3) and NFSPROC_GETATTR+NFSPROC_STATFS
> (NFSv2) calls on the root filehandle (and *only* on the root
> filehandle).
And also, though it seems to be just implicit, it expects you to be able
to do MOUNT.
Since we specify the rpcsec_gss security flavor as the client in
/etc/exports, in the place of the ip address/network/whatever, this
means in practice we'd need to allow MOUNT from any ip address for a
filesystem that's exported to rpcsec_gss. Which I suppose is OK, though
I don't understand why clients really want to do that.
> mountd should always support AUTH_SYS, so no changes required there
> (apart from the need to add the supported RPCSEC_GSS pseudoflavours to
> the "auth_flavors" list).
> As far as I know, nobody (not even Sun) has set up NLM to work with
> RPCSEC_GSS either.
Well, I suppose unauthenticated locks are a DOS at worse. But the
lookup of the initial filehandle seems more security-critical to me.
--Bruce Fields
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
next prev parent reply other threads:[~2004-08-30 18:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-24 18:41 NFSv3+Krb5 and mountd Per Olofsson
2004-08-30 1:41 ` Paul Jakma
2004-08-30 2:01 ` J. Bruce Fields
2004-08-30 15:45 ` Per Olofsson
2004-08-30 16:45 ` Trond Myklebust
2004-08-30 17:17 ` J. Bruce Fields
2004-08-30 17:45 ` Trond Myklebust
2004-08-30 18:04 ` J. Bruce Fields [this message]
2004-08-30 22:25 ` Trond Myklebust
2004-09-02 15:39 ` J. Bruce Fields
2004-08-30 21:54 ` Per Olofsson
2004-08-30 21:25 ` Per Olofsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040830180402.GE1555@fieldses.org \
--to=bfields@fieldses.org \
--cc=nfs@lists.sourceforge.net \
--cc=paul@clubi.ie \
--cc=pelle@dsv.su.se \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.