From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: trond.myklebust@fys.uio.no, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] NFS: Change default behavior when "sec=" is not specified by user
Date: Tue, 1 Sep 2009 11:18:31 -0400 [thread overview]
Message-ID: <20090901151830.GC22846@fieldses.org> (raw)
In-Reply-To: <7C5C14D9-F315-4DF8-A2F4-C7F0981AC968@oracle.com>
On Tue, Sep 01, 2009 at 11:10:36AM -0400, Chuck Lever wrote:
> On Sep 1, 2009, at 11:05 AM, J. Bruce Fields wrote:
>> On Tue, Sep 01, 2009 at 10:31:38AM -0400, Chuck Lever wrote:
>>> Currently the kernel's MNT client always uses AUTH_UNIX if no "sec="
>>> mount option was specified. In the interest of conforming more
>>> closely to RFC 2623, teach the MNT client to use the first flavor on
>>> the server's returned authflavor list instead of AUTH_UNIX, if "sec="
>>> was not specified.
>>>
>>> When the user does not specify "sec=" :
>>>
>>> o For NFSv2 and NFSv4: the default is always AUTH_UNIX (unchanged).
>>>
>>> o For NFSv3: if the server does not return an auth flavor list, use
>>> AUTH_UNIX by default; if the server does return a list, use the
>>> first entry on the list by default.
>>
>> Sounds good, but also:
>>
>> 1. Even when sec= is provided, we should probably still check
>> the passed-in security against the server-returned list.
>> (Otherwise AUTH_NULL mounts will almost *always* succeed, even
>> when no subsequent file operation would, thanks to the
>> allow-AUTH_NULL-on-mount behavior recommended by rfc 2523).
>> http://marc.info/?l=linux-nfs&m=125088837303339&w=2
>>
>> 2. In the absence of sec=, we should probably *not* choose
>> AUTH_NULL. (All mountd's before 1.1.3 list AUTH_NULL first on
>> the returned list, so users with older servers may wonder why a
>> client upgrade is making files they create suddenly be owned by
>> nobody.) http://marc.info/?l=linux-nfs&m=125089022306281&w=2
>>
>> 3. As a special exception, we should probably allow an explicit
>> "sec=null" to override #1 above, since ommission of AUTH_NULL
>> from post-1.1.3 mountd returns will make it otherwise impossible
>> to mount with AUTH_NULL.
>> http://marc.info/?l=linux-nfs&m=125113569524411&w=2
>>
>> Oops, my bad: I see now from the code that you did actually do #1, you
>> just didn't mention it above. OK!
>>
>> I don't see #2 or #3, though maybe they're already handled
>> somewhere....
>
> No, not in the kernel's MNT client. #3 seems like a server bug to me,
> though.
Alas, it's apparently a workaround for a client bug: see the url
referenced after #3. (But I don't know what client versions that bug
was in. If someone investigated and found they weren't widely
distributed, I'd take a patch to remove the workaround.)
--b.
next prev parent reply other threads:[~2009-09-01 15:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-01 14:31 [PATCH] NFS: Change default behavior when "sec=" is not specified by user Chuck Lever
[not found] ` <20090901143012.3978.11441.stgit-RytpoXr2tKZ9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2009-09-01 15:05 ` J. Bruce Fields
2009-09-01 15:10 ` Chuck Lever
2009-09-01 15:18 ` J. Bruce Fields [this message]
2009-09-01 15:52 ` Chuck Lever
2009-09-01 16:09 ` J. Bruce Fields
2009-09-01 16:29 ` Chuck Lever
2009-09-01 16:38 ` J. Bruce Fields
2009-09-01 18:07 ` Chuck Lever
2009-09-01 18:21 ` J. Bruce Fields
2009-09-01 18:25 ` Trond Myklebust
[not found] ` <1251829540.18608.31.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-09-01 18:28 ` Trond Myklebust
[not found] ` <1251829737.18608.34.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-09-01 18:35 ` Trond Myklebust
2009-09-01 18:58 ` Chuck Lever
2009-09-01 19:31 ` Trond Myklebust
[not found] ` <1251833479.18608.69.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-09-01 19:33 ` Trond Myklebust
2009-09-01 20:10 ` Chuck Lever
2009-09-01 20:15 ` J. Bruce Fields
2009-09-01 20:31 ` Chuck Lever
2009-09-01 21:22 ` Trond Myklebust
[not found] ` <1251840160.8463.20.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-09-02 14:16 ` Chuck Lever
2009-09-01 18:33 ` Peter Staubach
2009-09-01 18:50 ` J. Bruce Fields
2009-09-01 18:52 ` Peter Staubach
2009-09-01 19:16 ` J. Bruce Fields
2009-09-01 19:24 ` Peter Staubach
2009-09-01 20:05 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090901151830.GC22846@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox