[PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

Linux NFS3 kernel client currently has broken support for NFS3
AUTH_NULL-only exports and also broken mount option -o sec=none
(which explicitly specifies that mount should use AUTH_NULL).

For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
export with AUTH_UNIX authentication which results in unusable mount
point (any operation on it fails with error because server rejects
AUTH_UNIX authentication).

Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
one) never announce AUTH_NULL authentication for any export. Linux MNTv3
server does not announce it even when the export has the only AUTH_NULL
auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.

Main problem on the client side is that mount option -o sec=none for
NFS3 client is not processed and Linux NFS kernel client always skips
AUTH_NULL (even when server announce it, and also even when user
specifies -o sec=none on mount command line).

This patch series address these issues in NFS3 client code.

Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
by trying AUTH_NULL authentication as an absolutely last chance when
everything else fails. And honors user choice of AUTH_NULL if user
explicitly specified -o sec=none as mount option.

AUTH_NULL authentication is useful for read-only exports, including
public exports. As authentication for these types of exports do not have
to be required.

Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
MNTv3 userspace server. And also tested with exports from modified MNTv3
server to properly return AUTH_NULL support in response list.

Patch series is based on the latest upstream tag v6.11-rc7.

Pali Rohár (5):
  nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
    server
  nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
  nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
  nfs: Fix -o sec=none output in /proc/mounts
  nfs: Remove duplicate debug message 'using auth flavor'

 fs/nfs/client.c | 14 ++++++++++-
 fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
 2 files changed, 65 insertions(+), 13 deletions(-)

-- 
2.20.1

[PATCH 1/5] nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 server

[Pali Rohár]

Linux MNTv3 server does not announce AUTH_NULL in auth_info response.
This is a MNTv3 server bug and prevents kernel to mount exports with
AUTH_NULL flavor. So as a workaround when user explicitly specifies
only AUTH_NULL flavor via mount option -o sec=none then allow to
continue mounting export via AUTH_NULL.

This change fixes mounting of NFS3 AUTH_NULL exports from Linux NFS3
servers.

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
---
 fs/nfs/super.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 97b386032b71..3fef2afd94bd 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -819,6 +819,20 @@ static int nfs_verify_authflavors(struct nfs_fs_context *ctx,
 		goto out;
 	}
 
+	/*
+	 * Linux MNTv3 server does not announce AUTH_NULL in auth_info response.
+	 * This is a MNTv3 server bug and prevents kernel to mount exports with
+	 * AUTH_NULL flavor. So as a workaround when user explicitly specifies
+	 * only AUTH_NULL flavor via mount option -o sec=none then allow to
+	 * continue mounting export via AUTH_NULL.
+	 */
+	if (ctx->auth_info.flavor_len == 1 && ctx->auth_info.flavors[0] == RPC_AUTH_NULL) {
+		dfprintk(MOUNT,
+			 "NFS: requested auth flavor \"none\" is not announced by server, continuing anyway\n");
+		flavor = RPC_AUTH_NULL;
+		goto out;
+	}
+
 	dfprintk(MOUNT,
 		 "NFS: specified auth flavors not supported by server\n");
 	return -EACCES;
-- 
2.20.1

[PATCH 2/5] nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures

[Pali Rohár]

Linux NFS3 server returns NFS3ERR_ACCESS for PATHCONF procedure if
client-selected auth flavor is not enabled for export which is being
mounted. Ignoring this error results in choosing wrong auth flavor during
mount and so making the mount point inaccessible. It is because Linux NFS3
server allows to call other procedures used during mount time (FSINFO and
GETATTR) also with auth flavor which is explicitly disabled on particular
export.

This is particularly problem with mounting AUTH_NULL-only exports from
Linux NFS3 server as kernel client first try to use AUTH_UNIX auth flavor,
even when AUTH_UNIX is not announced by the MNTv3 server.

Do not propagate this failure for other auth methods, like GSS, as Linux
NFS3 server expects that accessing root export GSS dir may be done also by
other auth methods.

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
---
 fs/nfs/client.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8286edd6062d..5171ae112355 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -864,7 +864,19 @@ static int nfs_probe_fsinfo(struct nfs_server *server, struct nfs_fh *mntfh, str
 		pathinfo.fattr = fattr;
 		nfs_fattr_init(fattr);
 
-		if (clp->rpc_ops->pathconf(server, mntfh, &pathinfo) >= 0)
+		error = clp->rpc_ops->pathconf(server, mntfh, &pathinfo);
+		/*
+		 * Linux NFS3 server for PATHCONF procedure returns back error
+		 * NFS3ERR_ACCESS when selected auth flavor is not enabled for
+		 * export. For auth flavors without authentication (none and
+		 * sys) propagate error back to nfs_probe_server() caller and
+		 * allow to choose different auth flavor.
+		 */
+		if (error == -EACCES && (
+		     server->client->cl_auth->au_flavor == RPC_AUTH_UNIX ||
+		     server->client->cl_auth->au_flavor == RPC_AUTH_NULL))
+			return error;
+		else if (error >= 0)
 			server->namelen = pathinfo.max_namelen;
 	}
 
-- 
2.20.1

[PATCH 3/5] nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given

[Pali Rohár]

As an absolutely last chance, after all previous failed attempts, try to
use also AUTH_NULL when mounting NFS3 export. Try AUTH_NULL also when MNTv3
server does not announce it because of Linux MNTv3 server rpc.mountd bug
which does not announce AUTH_NULL even when this is the only allowed method
on the server.

Currently AUTH_NULL is always skipped in nfs_try_mount_request() function
even when MNTv3 server announces it and so it is not possible to mount NFS3
export with AUTH_UNIX disallowed on server.

nfs_try_mount_request() function currently tries AUTH_UNIX method even when
server does not announces it. But it does not try to use AUTH_NULL when
server announces AUTH_NULL.

With this patch, AUTH_UNIX behavior as described above is not changed and
after the AUTH_UNIX attempt is added AUTH_NULL attempt as the absolutely
last chance.

With this patch it is possible to mount NFS3 exports with AUTH_NULL method
if all other methods are rejected by server. AUTH_NULL method is useful for
public read-only data exports which do not require any user authentication.

This change fixes mounting of NFS3 AUTH_NULL-only exports without need to
specify any special mount options, like -o sec.

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
---
 fs/nfs/super.c | 46 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 3fef2afd94bd..4cb319be55ca 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -911,6 +911,7 @@ static struct nfs_server *nfs_try_mount_request(struct fs_context *fc)
 	struct nfs_fs_context *ctx = nfs_fc2context(fc);
 	int status;
 	unsigned int i;
+	int first_err = 0;
 	bool tried_auth_unix = false;
 	bool auth_null_in_list = false;
 	struct nfs_server *server = ERR_PTR(-EACCES);
@@ -947,7 +948,8 @@ static struct nfs_server *nfs_try_mount_request(struct fs_context *fc)
 	/*
 	 * No sec= option was provided. RFC 2623, section 2.7 suggests we
 	 * SHOULD prefer the flavor listed first. However, some servers list
-	 * AUTH_NULL first. Avoid ever choosing AUTH_NULL.
+	 * AUTH_NULL first. So skip AUTH_NULL here and try it as an absolutely
+	 * last chance at the end of this function.
 	 */
 	for (i = 0; i < authlist_len; ++i) {
 		rpc_authflavor_t flavor;
@@ -971,20 +973,46 @@ static struct nfs_server *nfs_try_mount_request(struct fs_context *fc)
 		server = ctx->nfs_mod->rpc_ops->create_server(fc);
 		if (!IS_ERR(server))
 			return server;
+		if (!first_err)
+			first_err = PTR_ERR(server);
 	}
 
 	/*
-	 * Nothing we tried so far worked. At this point, give up if we've
-	 * already tried AUTH_UNIX or if the server's list doesn't contain
-	 * AUTH_NULL
+	 * If AUTH_UNIX was not available in the server's list and AUTH_NULL was
+	 * then for compatibility with old NFS3 servers try also AUTH_UNIX.
 	 */
-	if (tried_auth_unix || !auth_null_in_list)
+	if (!tried_auth_unix && auth_null_in_list) {
+		dfprintk(MOUNT,
+			 "NFS: attempting to use auth flavor %u%s\n",
+			 RPC_AUTH_UNIX,
+			 ", even it was not announced by server");
+		ctx->selected_flavor = RPC_AUTH_UNIX;
+		server = ctx->nfs_mod->rpc_ops->create_server(fc);
+		if (!IS_ERR(server))
+			return server;
+		tried_auth_unix = true;
+	}
+
+	/*
+	 * Linux MNTv3 server rpc.mountd since nfs-utils version 1.1.3, commit
+	 * https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=3c1bb23c0379
+	 * does not include AUTH_NULL into server's list export response even
+	 * when AUTH_NULL is supported and enabled for that export on Linux
+	 * NFS3 server. AUTH_NULL was skipped when processing server's list,
+	 * so always try AUTH_NULL as an absolutely last chance and also when
+	 * it was not available in the server's list.
+	 */
+	dfprintk(MOUNT,
+		 "NFS: attempting to use auth flavor %u%s\n",
+		 RPC_AUTH_NULL,
+		 auth_null_in_list ? "" : ", even it was not announced by server");
+	ctx->selected_flavor = RPC_AUTH_NULL;
+	server = ctx->nfs_mod->rpc_ops->create_server(fc);
+	if (!IS_ERR(server))
 		return server;
 
-	/* Last chance! Try AUTH_UNIX */
-	dfprintk(MOUNT, "NFS: attempting to use auth flavor %u\n", RPC_AUTH_UNIX);
-	ctx->selected_flavor = RPC_AUTH_UNIX;
-	return ctx->nfs_mod->rpc_ops->create_server(fc);
+	/* Prefer error code from the first attempt of server's list. */
+	return first_err ? ERR_PTR(first_err) : server;
 }
 
 int nfs_try_get_tree(struct fs_context *fc)
-- 
2.20.1

[PATCH 4/5] nfs: Fix -o sec=none output in /proc/mounts

[Pali Rohár]

Linux nfs userspace tools supports AUTH_NULL flavor under name 'none'.
This name is used in /etc/exports file and also in '-o sec' mount option.

So for compatibility show AUTH_NULL flavor in /proc/mounts output as 'none'
instead of 'null'.

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
---
 fs/nfs/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 4cb319be55ca..86d98d15ee22 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -321,7 +321,7 @@ static const char *nfs_pseudoflavour_to_name(rpc_authflavor_t flavour)
 		const char *str;
 	} sec_flavours[NFS_AUTH_INFO_MAX_FLAVORS] = {
 		/* update NFS_AUTH_INFO_MAX_FLAVORS when this list changes! */
-		{ RPC_AUTH_NULL, "null" },
+		{ RPC_AUTH_NULL, "none" },
 		{ RPC_AUTH_UNIX, "sys" },
 		{ RPC_AUTH_GSS_KRB5, "krb5" },
 		{ RPC_AUTH_GSS_KRB5I, "krb5i" },
-- 
2.20.1

[PATCH 5/5] nfs: Remove duplicate debug message 'using auth flavor'

[Pali Rohár]

Function nfs_verify_authflavors() prints debug message 'using auth flavor'
on success. So not print same debug message after nfs_verify_authflavors()
call again.

Signed-off-by: Pali Rohár <pali@kernel.org>
---
 fs/nfs/super.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 86d98d15ee22..be487118cedc 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -938,8 +938,6 @@ static struct nfs_server *nfs_try_mount_request(struct fs_context *fc)
 	 */
 	if (ctx->auth_info.flavor_len > 0) {
 		status = nfs_verify_authflavors(ctx, authlist, authlist_len);
-		dfprintk(MOUNT, "NFS: using auth flavor %u\n",
-			 ctx->selected_flavor);
 		if (status)
 			return ERR_PTR(status);
 		return ctx->nfs_mod->rpc_ops->create_server(fc);
-- 
2.20.1

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Anna Schumaker]

Hi Pali,

On 9/12/24 9:02 AM, Pali Rohár wrote:
> Linux NFS3 kernel client currently has broken support for NFS3
> AUTH_NULL-only exports and also broken mount option -o sec=none
> (which explicitly specifies that mount should use AUTH_NULL).
> 
> For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> export with AUTH_UNIX authentication which results in unusable mount
> point (any operation on it fails with error because server rejects
> AUTH_UNIX authentication).
> 
> Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> server does not announce it even when the export has the only AUTH_NULL
> auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> 
> Main problem on the client side is that mount option -o sec=none for
> NFS3 client is not processed and Linux NFS kernel client always skips
> AUTH_NULL (even when server announce it, and also even when user
> specifies -o sec=none on mount command line).
> 
> This patch series address these issues in NFS3 client code.
> 
> Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> by trying AUTH_NULL authentication as an absolutely last chance when
> everything else fails. And honors user choice of AUTH_NULL if user
> explicitly specified -o sec=none as mount option.

Why fix this on the client instead of fixing the server to announce AUTH_NULL
if this is what the user has configured?

Anna

> 
> AUTH_NULL authentication is useful for read-only exports, including
> public exports. As authentication for these types of exports do not have
> to be required.
> 
> Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> MNTv3 userspace server. And also tested with exports from modified MNTv3
> server to properly return AUTH_NULL support in response list.
> 
> Patch series is based on the latest upstream tag v6.11-rc7.
> 
> Pali Rohár (5):
>   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
>     server
>   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
>   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
>   nfs: Fix -o sec=none output in /proc/mounts
>   nfs: Remove duplicate debug message 'using auth flavor'
> 
>  fs/nfs/client.c | 14 ++++++++++-
>  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
>  2 files changed, 65 insertions(+), 13 deletions(-)
> 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

On Thursday 12 September 2024 17:06:07 Anna Schumaker wrote:
> Hi Pali,
> 
> On 9/12/24 9:02 AM, Pali Rohár wrote:
> > Linux NFS3 kernel client currently has broken support for NFS3
> > AUTH_NULL-only exports and also broken mount option -o sec=none
> > (which explicitly specifies that mount should use AUTH_NULL).
> > 
> > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > export with AUTH_UNIX authentication which results in unusable mount
> > point (any operation on it fails with error because server rejects
> > AUTH_UNIX authentication).
> > 
> > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > server does not announce it even when the export has the only AUTH_NULL
> > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > 
> > Main problem on the client side is that mount option -o sec=none for
> > NFS3 client is not processed and Linux NFS kernel client always skips
> > AUTH_NULL (even when server announce it, and also even when user
> > specifies -o sec=none on mount command line).
> > 
> > This patch series address these issues in NFS3 client code.
> > 
> > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > by trying AUTH_NULL authentication as an absolutely last chance when
> > everything else fails. And honors user choice of AUTH_NULL if user
> > explicitly specified -o sec=none as mount option.
> 
> Why fix this on the client instead of fixing the server to announce AUTH_NULL
> if this is what the user has configured?

This can be a next step. Without this client workaround it is not
possible to connect with Linux client to existing/running servers.

> Anna
> 
> > 
> > AUTH_NULL authentication is useful for read-only exports, including
> > public exports. As authentication for these types of exports do not have
> > to be required.
> > 
> > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > server to properly return AUTH_NULL support in response list.
> > 
> > Patch series is based on the latest upstream tag v6.11-rc7.
> > 
> > Pali Rohár (5):
> >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> >     server
> >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> >   nfs: Fix -o sec=none output in /proc/mounts
> >   nfs: Remove duplicate debug message 'using auth flavor'
> > 
> >  fs/nfs/client.c | 14 ++++++++++-
> >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> >  2 files changed, 65 insertions(+), 13 deletions(-)
> > 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> Linux NFS3 kernel client currently has broken support for NFS3
> AUTH_NULL-only exports and also broken mount option -o sec=none
> (which explicitly specifies that mount should use AUTH_NULL).
> 
> For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> export with AUTH_UNIX authentication which results in unusable mount
> point (any operation on it fails with error because server rejects
> AUTH_UNIX authentication).
> 
> Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> server does not announce it even when the export has the only AUTH_NULL
> auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> 
> Main problem on the client side is that mount option -o sec=none for
> NFS3 client is not processed and Linux NFS kernel client always skips
> AUTH_NULL (even when server announce it, and also even when user
> specifies -o sec=none on mount command line).
> 
> This patch series address these issues in NFS3 client code.
> 
> Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> by trying AUTH_NULL authentication as an absolutely last chance when
> everything else fails. And honors user choice of AUTH_NULL if user
> explicitly specified -o sec=none as mount option.
> 
> AUTH_NULL authentication is useful for read-only exports, including
> public exports. As authentication for these types of exports do not have
> to be required.
> 
> Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> MNTv3 userspace server. And also tested with exports from modified MNTv3
> server to properly return AUTH_NULL support in response list.
> 
> Patch series is based on the latest upstream tag v6.11-rc7.
> 
> Pali Rohár (5):
>   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
>     server
>   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
>   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
>   nfs: Fix -o sec=none output in /proc/mounts
>   nfs: Remove duplicate debug message 'using auth flavor'
> 
>  fs/nfs/client.c | 14 ++++++++++-
>  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
>  2 files changed, 65 insertions(+), 13 deletions(-)
> 
> -- 
> 2.20.1
> 

Hello, month ago I have sent these fixes for NFS3 client AUTH_NULL
support. Are there any issues with them?

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

On Saturday 05 October 2024 17:15:02 Pali Rohár wrote:
> On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> > Linux NFS3 kernel client currently has broken support for NFS3
> > AUTH_NULL-only exports and also broken mount option -o sec=none
> > (which explicitly specifies that mount should use AUTH_NULL).
> > 
> > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > export with AUTH_UNIX authentication which results in unusable mount
> > point (any operation on it fails with error because server rejects
> > AUTH_UNIX authentication).
> > 
> > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > server does not announce it even when the export has the only AUTH_NULL
> > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > 
> > Main problem on the client side is that mount option -o sec=none for
> > NFS3 client is not processed and Linux NFS kernel client always skips
> > AUTH_NULL (even when server announce it, and also even when user
> > specifies -o sec=none on mount command line).
> > 
> > This patch series address these issues in NFS3 client code.
> > 
> > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > by trying AUTH_NULL authentication as an absolutely last chance when
> > everything else fails. And honors user choice of AUTH_NULL if user
> > explicitly specified -o sec=none as mount option.
> > 
> > AUTH_NULL authentication is useful for read-only exports, including
> > public exports. As authentication for these types of exports do not have
> > to be required.
> > 
> > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > server to properly return AUTH_NULL support in response list.
> > 
> > Patch series is based on the latest upstream tag v6.11-rc7.
> > 
> > Pali Rohár (5):
> >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> >     server
> >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> >   nfs: Fix -o sec=none output in /proc/mounts
> >   nfs: Remove duplicate debug message 'using auth flavor'
> > 
> >  fs/nfs/client.c | 14 ++++++++++-
> >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> >  2 files changed, 65 insertions(+), 13 deletions(-)
> > 
> > -- 
> > 2.20.1
> > 
> 
> Hello, month ago I have sent these fixes for NFS3 client AUTH_NULL
> support. Are there any issues with them?

Hello, as there are not any objections, could you prepare these fixes for -next tree?

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

PING? If there is no objection, could you include series into -next?

On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> Linux NFS3 kernel client currently has broken support for NFS3
> AUTH_NULL-only exports and also broken mount option -o sec=none
> (which explicitly specifies that mount should use AUTH_NULL).
> 
> For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> export with AUTH_UNIX authentication which results in unusable mount
> point (any operation on it fails with error because server rejects
> AUTH_UNIX authentication).
> 
> Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> server does not announce it even when the export has the only AUTH_NULL
> auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> 
> Main problem on the client side is that mount option -o sec=none for
> NFS3 client is not processed and Linux NFS kernel client always skips
> AUTH_NULL (even when server announce it, and also even when user
> specifies -o sec=none on mount command line).
> 
> This patch series address these issues in NFS3 client code.
> 
> Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> by trying AUTH_NULL authentication as an absolutely last chance when
> everything else fails. And honors user choice of AUTH_NULL if user
> explicitly specified -o sec=none as mount option.
> 
> AUTH_NULL authentication is useful for read-only exports, including
> public exports. As authentication for these types of exports do not have
> to be required.
> 
> Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> MNTv3 userspace server. And also tested with exports from modified MNTv3
> server to properly return AUTH_NULL support in response list.
> 
> Patch series is based on the latest upstream tag v6.11-rc7.
> 
> Pali Rohár (5):
>   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
>     server
>   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
>   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
>   nfs: Fix -o sec=none output in /proc/mounts
>   nfs: Remove duplicate debug message 'using auth flavor'
> 
>  fs/nfs/client.c | 14 ++++++++++-
>  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
>  2 files changed, 65 insertions(+), 13 deletions(-)
> 
> -- 
> 2.20.1
> 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

PING?

On Sunday 22 December 2024 17:40:18 Pali Rohár wrote:
> PING? If there is no objection, could you include series into -next?
> 
> On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> > Linux NFS3 kernel client currently has broken support for NFS3
> > AUTH_NULL-only exports and also broken mount option -o sec=none
> > (which explicitly specifies that mount should use AUTH_NULL).
> > 
> > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > export with AUTH_UNIX authentication which results in unusable mount
> > point (any operation on it fails with error because server rejects
> > AUTH_UNIX authentication).
> > 
> > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > server does not announce it even when the export has the only AUTH_NULL
> > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > 
> > Main problem on the client side is that mount option -o sec=none for
> > NFS3 client is not processed and Linux NFS kernel client always skips
> > AUTH_NULL (even when server announce it, and also even when user
> > specifies -o sec=none on mount command line).
> > 
> > This patch series address these issues in NFS3 client code.
> > 
> > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > by trying AUTH_NULL authentication as an absolutely last chance when
> > everything else fails. And honors user choice of AUTH_NULL if user
> > explicitly specified -o sec=none as mount option.
> > 
> > AUTH_NULL authentication is useful for read-only exports, including
> > public exports. As authentication for these types of exports do not have
> > to be required.
> > 
> > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > server to properly return AUTH_NULL support in response list.
> > 
> > Patch series is based on the latest upstream tag v6.11-rc7.
> > 
> > Pali Rohár (5):
> >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> >     server
> >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> >   nfs: Fix -o sec=none output in /proc/mounts
> >   nfs: Remove duplicate debug message 'using auth flavor'
> > 
> >  fs/nfs/client.c | 14 ++++++++++-
> >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> >  2 files changed, 65 insertions(+), 13 deletions(-)
> > 
> > -- 
> > 2.20.1
> > 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

PING?

On Friday 18 April 2025 20:03:13 Pali Rohár wrote:
> PING?
> 
> On Sunday 22 December 2024 17:40:18 Pali Rohár wrote:
> > PING? If there is no objection, could you include series into -next?
> > 
> > On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> > > Linux NFS3 kernel client currently has broken support for NFS3
> > > AUTH_NULL-only exports and also broken mount option -o sec=none
> > > (which explicitly specifies that mount should use AUTH_NULL).
> > > 
> > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > > export with AUTH_UNIX authentication which results in unusable mount
> > > point (any operation on it fails with error because server rejects
> > > AUTH_UNIX authentication).
> > > 
> > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > > server does not announce it even when the export has the only AUTH_NULL
> > > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > > 
> > > Main problem on the client side is that mount option -o sec=none for
> > > NFS3 client is not processed and Linux NFS kernel client always skips
> > > AUTH_NULL (even when server announce it, and also even when user
> > > specifies -o sec=none on mount command line).
> > > 
> > > This patch series address these issues in NFS3 client code.
> > > 
> > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > > by trying AUTH_NULL authentication as an absolutely last chance when
> > > everything else fails. And honors user choice of AUTH_NULL if user
> > > explicitly specified -o sec=none as mount option.
> > > 
> > > AUTH_NULL authentication is useful for read-only exports, including
> > > public exports. As authentication for these types of exports do not have
> > > to be required.
> > > 
> > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > > server to properly return AUTH_NULL support in response list.
> > > 
> > > Patch series is based on the latest upstream tag v6.11-rc7.
> > > 
> > > Pali Rohár (5):
> > >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> > >     server
> > >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> > >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> > >   nfs: Fix -o sec=none output in /proc/mounts
> > >   nfs: Remove duplicate debug message 'using auth flavor'
> > > 
> > >  fs/nfs/client.c | 14 ++++++++++-
> > >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> > >  2 files changed, 65 insertions(+), 13 deletions(-)
> > > 
> > > -- 
> > > 2.20.1
> > > 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

PING?

On Sunday 04 May 2025 10:48:40 Pali Rohár wrote:
> PING?
> 
> On Friday 18 April 2025 20:03:13 Pali Rohár wrote:
> > PING?
> > 
> > On Sunday 22 December 2024 17:40:18 Pali Rohár wrote:
> > > PING? If there is no objection, could you include series into -next?
> > > 
> > > On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> > > > Linux NFS3 kernel client currently has broken support for NFS3
> > > > AUTH_NULL-only exports and also broken mount option -o sec=none
> > > > (which explicitly specifies that mount should use AUTH_NULL).
> > > > 
> > > > For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> > > > export with AUTH_UNIX authentication which results in unusable mount
> > > > point (any operation on it fails with error because server rejects
> > > > AUTH_UNIX authentication).
> > > > 
> > > > Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> > > > one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> > > > server does not announce it even when the export has the only AUTH_NULL
> > > > auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> > > > is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> > > > for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> > > > AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> > > > 
> > > > Main problem on the client side is that mount option -o sec=none for
> > > > NFS3 client is not processed and Linux NFS kernel client always skips
> > > > AUTH_NULL (even when server announce it, and also even when user
> > > > specifies -o sec=none on mount command line).
> > > > 
> > > > This patch series address these issues in NFS3 client code.
> > > > 
> > > > Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> > > > by trying AUTH_NULL authentication as an absolutely last chance when
> > > > everything else fails. And honors user choice of AUTH_NULL if user
> > > > explicitly specified -o sec=none as mount option.
> > > > 
> > > > AUTH_NULL authentication is useful for read-only exports, including
> > > > public exports. As authentication for these types of exports do not have
> > > > to be required.
> > > > 
> > > > Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> > > > AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> > > > MNTv3 userspace server. And also tested with exports from modified MNTv3
> > > > server to properly return AUTH_NULL support in response list.
> > > > 
> > > > Patch series is based on the latest upstream tag v6.11-rc7.
> > > > 
> > > > Pali Rohár (5):
> > > >   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
> > > >     server
> > > >   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
> > > >   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
> > > >   nfs: Fix -o sec=none output in /proc/mounts
> > > >   nfs: Remove duplicate debug message 'using auth flavor'
> > > > 
> > > >  fs/nfs/client.c | 14 ++++++++++-
> > > >  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
> > > >  2 files changed, 65 insertions(+), 13 deletions(-)
> > > > 
> > > > -- 
> > > > 2.20.1
> > > > 

Re: [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports

[Pali Rohár]

Hello, I would like to remind this patch series from the previous year. Any comments?

On Thursday 12 September 2024 15:02:15 Pali Rohár wrote:
> Linux NFS3 kernel client currently has broken support for NFS3
> AUTH_NULL-only exports and also broken mount option -o sec=none
> (which explicitly specifies that mount should use AUTH_NULL).
> 
> For AUTH_NULL-only server exports, Linux NFS3 kernel client mounts such
> export with AUTH_UNIX authentication which results in unusable mount
> point (any operation on it fails with error because server rejects
> AUTH_UNIX authentication).
> 
> Half of the problem is with MNTv3 servers, as some of them (e.g. Linux
> one) never announce AUTH_NULL authentication for any export. Linux MNTv3
> server does not announce it even when the export has the only AUTH_NULL
> auth method allowed, instead it announce AUTH_UNIX (even when AUTH_UNIX
> is disabled for that export in Linux NFS3 knfsd server). So MNTv3 server
> for AUTH_NONE-only exports instruct Linux NFS3 kernel client to use
> AUTH_UNIX and then NFS3 server refuse access to files with AUTH_UNIX.
> 
> Main problem on the client side is that mount option -o sec=none for
> NFS3 client is not processed and Linux NFS kernel client always skips
> AUTH_NULL (even when server announce it, and also even when user
> specifies -o sec=none on mount command line).
> 
> This patch series address these issues in NFS3 client code.
> 
> Add a workaround for buggy MNTv3 servers which do not announce AUTH_NULL,
> by trying AUTH_NULL authentication as an absolutely last chance when
> everything else fails. And honors user choice of AUTH_NULL if user
> explicitly specified -o sec=none as mount option.
> 
> AUTH_NULL authentication is useful for read-only exports, including
> public exports. As authentication for these types of exports do not have
> to be required.
> 
> Patch series was tested with AUTH_NULL-only, AUTH_UNIX-only and combined
> AUTH_NULL+AUTH_UNIX exports from Linux knfsd NFS3 server + default Linux
> MNTv3 userspace server. And also tested with exports from modified MNTv3
> server to properly return AUTH_NULL support in response list.
> 
> Patch series is based on the latest upstream tag v6.11-rc7.
> 
> Pali Rohár (5):
>   nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3
>     server
>   nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
>   nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given
>   nfs: Fix -o sec=none output in /proc/mounts
>   nfs: Remove duplicate debug message 'using auth flavor'
> 
>  fs/nfs/client.c | 14 ++++++++++-
>  fs/nfs/super.c  | 64 +++++++++++++++++++++++++++++++++++++++----------
>  2 files changed, 65 insertions(+), 13 deletions(-)
> 
> -- 
> 2.20.1
>