From: NeilBrown <neilb@suse.de>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: NFS <linux-nfs@vger.kernel.org>
Subject: Re: Inconsistency when mounting a directory that 'world' cannot access.
Date: Wed, 3 Oct 2012 13:46:29 +1000 [thread overview]
Message-ID: <20121003134629.72557522@notabene.brown> (raw)
In-Reply-To: <20121002143334.GA1435@fieldses.org>
[-- Attachment #1: Type: text/plain, Size: 1484 bytes --]
On Tue, 2 Oct 2012 10:33:34 -0400 "J. Bruce Fields" <bfields@fieldses.org>
wrote:
> I guess you're right. So it starts to sound more like: "you have a
> confusing setup. Your export configuration says one thing, and your
> filesystem permissions say another. Under NFSv3 the confusion didn't
> matter, but now it does--time to fix it."
>
That's the best I could come to - I'm glad to have it confirmed. Thanks!
It is unfortunate that Linux NFS uses an anon credential to mount when krb5
is in use, and uses 'root' when auth_sys is used (which might be anon if
"root_squash" is active, but might not).
I wonder if it would work to use auth_none for the mount-time lookup, just
for consistency..
Is the following appropriate? Is there somewhere better to put this caveat?
Thanks,
NeilBrown
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index bc1de73..91e4b9c 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -126,6 +126,10 @@ will be enforced only for access using flavors listed in the immediately
preceding sec= option. The only options that are permitted to vary in
this way are ro, rw, no_root_squash, root_squash, and all_squash.
.PP
+When RPCSEC_GSS is used with NFSv4, a client will only be able to mount a
+directory if that directory and all its ancestors give eXecute access
+to "world".
+.PP
.SS General Options
.BR exportfs
understands the following export options:
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2012-10-03 3:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 1:23 Inconsistency when mounting a directory that 'world' cannot access NeilBrown
2012-10-01 15:43 ` J. Bruce Fields
2012-10-02 2:38 ` NeilBrown
2012-10-02 14:33 ` J. Bruce Fields
2012-10-03 3:46 ` NeilBrown [this message]
2012-10-03 15:13 ` J. Bruce Fields
2012-10-03 15:48 ` Myklebust, Trond
2012-10-03 16:27 ` J. Bruce Fields
2012-10-03 22:46 ` NeilBrown
2012-10-04 16:07 ` J. Bruce Fields
2012-10-08 6:03 ` NeilBrown
2012-10-08 11:42 ` Steve Dickson
2012-10-08 12:20 ` J. Bruce Fields
2012-10-09 0:30 ` NeilBrown
2012-10-08 12:19 ` J. Bruce Fields
2012-10-08 13:54 ` Malahal Naineni
2012-10-08 14:18 ` J. Bruce Fields
2012-10-08 15:26 ` Malahal Naineni
2012-10-09 0:33 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121003134629.72557522@notabene.brown \
--to=neilb@suse.de \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.