From: "J. Bruce Fields" <bfields@fieldses.org>
To: NeilBrown <neilb@suse.de>
Cc: NFS <linux-nfs@vger.kernel.org>
Subject: Re: Inconsistency when mounting a directory that 'world' cannot access.
Date: Mon, 1 Oct 2012 11:43:10 -0400 [thread overview]
Message-ID: <20121001154309.GD18400@fieldses.org> (raw)
In-Reply-To: <20120918112329.7d88ed9e@notabene.brown>
On Tue, Sep 18, 2012 at 11:23:29AM +1000, NeilBrown wrote:
>
> Suppose that on an NFS server I have a directory
> /foo/bar/baz
>
> which I export, and that /foo/bar does not have world access. e.g.
> permissions are '750' and everyone who owns files in there is a member of the
> group which owns /foo/bar.
>
> Then with NFSv3 I can
> mount server:/foo/bar/baz /somewhere
> because the lookup of /foo/bar/baz happens as root on the server in mountd.
>
> With NFSv4 using 'sec=sys' I can only do this if I export with
> "no_root_squash", as the lookup happens on the client as root, and if root
> were squashed, it wouldn't have access beyond /foo/bar.
>
> But if I use NFSv4 using 'sec=krb5', the lookup happens on the client using a
> machine credential which gets mapped to 'nobody/nogroup' (or whatever anonuid
> and anongid are set to for the export). So I cannot perform the mount at all.
>
> This is - at best - inconsistent and can cause confusion (hey - I was
> confused for a while there).
>
> Should something be done? Can anything be done?
I think nfsd_lookup_dentry() would need a special exception for the
NFSEXP_V4ROOT case.
Looks like the directory permission check is actually done in
lookup_one_len(), so we'd need to either call something else or
temporarily swap credentials?
--b.
>
> I lean towards thinking that the most restrictive behaviour is most correct
> (though I have a customer who feels that it is too restrictive).
>
> Should the NFSv4 client always use an anon credential when performing the
> 'mount'? Is that even possible for auth_sys?
> Should rpc.mountd use set_fsuid before doing the path lookup to ensure that
> everyone has access to the exported directory?
>
> Or is there some way 'mount' lookups for krb5 could be treated as being
> performed by root?
>
> Any ideas?
next prev parent reply other threads:[~2012-10-01 15:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 1:23 Inconsistency when mounting a directory that 'world' cannot access NeilBrown
2012-10-01 15:43 ` J. Bruce Fields [this message]
2012-10-02 2:38 ` NeilBrown
2012-10-02 14:33 ` J. Bruce Fields
2012-10-03 3:46 ` NeilBrown
2012-10-03 15:13 ` J. Bruce Fields
2012-10-03 15:48 ` Myklebust, Trond
2012-10-03 16:27 ` J. Bruce Fields
2012-10-03 22:46 ` NeilBrown
2012-10-04 16:07 ` J. Bruce Fields
2012-10-08 6:03 ` NeilBrown
2012-10-08 11:42 ` Steve Dickson
2012-10-08 12:20 ` J. Bruce Fields
2012-10-09 0:30 ` NeilBrown
2012-10-08 12:19 ` J. Bruce Fields
2012-10-08 13:54 ` Malahal Naineni
2012-10-08 14:18 ` J. Bruce Fields
2012-10-08 15:26 ` Malahal Naineni
2012-10-09 0:33 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121001154309.GD18400@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).