From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Tom Haynes <tdh@excfb.com>
Cc: Chuck Lever <chuck.lever@oracle.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: Security negotiation
Date: Mon, 13 Jul 2009 12:20:07 -0400 [thread overview]
Message-ID: <1247502007.14524.3.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <4A5B5BCC.5040200@excfb.com>
On Mon, 2009-07-13 at 11:07 -0500, Tom Haynes wrote:
> Trond Myklebust wrote:
> > On Fri, 2009-07-10 at 17:38 -0500, Tom Haynes wrote:
> >
> >> If they have the same access lists, then the server is free to order them...
> >>
> >> share -F nfs -o sec=sys:none:krb5,rw /foo
> >> share -F nfs -o sec=sys,ro,sec=krb5p,rw,root=@192.168.2.0,sec=krb5,rw /bar
> >>
> >> In the first, we don't care how the server presents them. In the second,
> >> the list would be: sys krb5p krb5.
> >>
> >
> > Meaning that the client defaults to read-only access?
> >
> > Trond
> >
>
> In this scenario, yes.
>
> The export states that if you can't be bothered to run kerberos, I can't
> be bothered to let you write
> to my filesystem.
Well, how does the security negotiating NFSv3 client discover that?
I'm assuming that in the case of NFSv4, you would return
NFS4ERR_WRONGSEC if the user attempts to write to the server, but what
do you do in the case of NFSv3? Do you return an rpc level AUTH_TOOWEAK
error instead?
Trond
next prev parent reply other threads:[~2009-07-13 16:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-10 18:07 Security negotiation Tom Haynes
[not found] ` <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 18:57 ` Chuck Lever
2009-07-10 20:11 ` Chuck Lever
2009-07-10 20:55 ` Tom Haynes
[not found] ` <4A57AADE.8080002-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 21:37 ` Chuck Lever
2009-07-10 22:38 ` Tom Haynes
[not found] ` <4A57C2F3.4070109-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 22:45 ` Trond Myklebust
[not found] ` <1247265922.8254.30.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:07 ` Tom Haynes
2009-07-13 16:20 ` Trond Myklebust [this message]
[not found] ` <1247502007.14524.3.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:44 ` Tom Haynes
2009-07-13 17:41 ` J. Bruce Fields
2009-07-14 18:24 ` Tom Haynes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1247502007.14524.3.camel@heimdal.trondhjem.org \
--to=trond.myklebust@fys.uio.no \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tdh@excfb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox