From: Chuck Lever <chuck.lever@oracle.com>
To: linux-nfs@vger.kernel.org
Subject: [PATCH 2/2] NFS: Allow sec=none mounts in certain cases
Date: Tue, 28 Jun 2011 14:25:41 -0400 [thread overview]
Message-ID: <20110628182540.2866.42553.stgit@seurat.1015granger.net> (raw)
In-Reply-To: <20110628181324.2866.98154.stgit@seurat.1015granger.net>
There is an undocumented convention (verified by reviewing network
traces from a NetApp filer and a Solaris NFS server) where a server
that returns a mount authflavor list containing an AUTH_NULL entry
is actually indicating it will accept any security flavor for the
export being mounted.
This might be used when the server maps all security flavors into the
same security mode. For example, the server treats all accessors as,
say, UID 17.
Essentially, AUTH_NULL is treated as a wildcard that matches the
flavor the mounter requested.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
fs/nfs/super.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 4625a4c..543cf9f 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1570,13 +1570,20 @@ static int nfs_walk_authlist(struct nfs_parsed_mount_data *args,
* the first flavor in the list that it supports, on the
* assumption that the best access is provided by the first
* flavor."
+ *
+ * By convention we treat AUTH_NULL in the returned list as
+ * a wild card. The server will map our requested flavor to
+ * something else.
*/
- for (i = 0; i < args->auth_flavor_len; i++)
- for (j = 0; j < server_authlist_len; j++)
- if (args->auth_flavors[i] == server->auth_flavs[j]) {
- args->auth_flavors[0] = server->auth_flavs[j];
+ for (i = 0; i < server_authlist_len; i++) {
+ if (server->auth_flavs[i] == RPC_AUTH_NULL)
+ goto out;
+ for (j = 0; j < args->auth_flavor_len; j++)
+ if (server->auth_flavs[i] == args->auth_flavors[j]) {
+ args->auth_flavors[0] = server->auth_flavs[i];
goto out;
}
+ }
dfprintk(MOUNT, "NFS: server does not support requested auth flavor\n");
nfs_umount(server);
next prev parent reply other threads:[~2011-06-28 18:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-28 18:25 [PATCH 0/2] Allow mounting exports that advertise NULL security Chuck Lever
2011-06-28 18:25 ` [PATCH 1/2] NFS: Clean up nfs_walk_authlist() Chuck Lever
2011-06-28 18:25 ` Chuck Lever [this message]
2011-06-28 18:41 ` [PATCH 2/2] NFS: Allow sec=none mounts in certain cases Chuck Lever
2011-06-28 19:06 ` J. Bruce Fields
2011-06-28 19:10 ` J. Bruce Fields
2011-06-28 19:34 ` Chuck Lever
2011-06-28 20:08 ` Bryan Schumaker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110628182540.2866.42553.stgit@seurat.1015granger.net \
--to=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.