On Thu, Aug 29, 2024 at 07:05:45AM +1000, NeilBrown wrote: > On Wed, 28 Aug 2024, Mike Snitzer wrote: > > > > So I honestly feel like Chuck's latest revision is perfectly fine. > > I disagree that "The behavior for LOCALIO is therefore the same as > > the AUTH_UNIX check below." is inaccurate. The precondition from the > > client (used to establish localio and cause rqstp to be NULL in > > check_nfsd_access) is effectively comparable no? > > > > I don't think the correctness of the code is at all related to > AUTH_UNIX. > Suppose we did add support for krb5 somehow - would we really need a > different test? I think not. > > I think that the reason the code is correct and safe is that we trust > the client. We *know* the client will only present an filehandle which > it has received over the wire and which it verified - with the > accompanying credential - it was allowed to access. > > Maybe that is what you meant by "The precondition from the client". I > agree that does give us sufficient safety. I don't think AUTH_UNIX is > relevant. > > /* > * If rqstp is NULL, this is a LOCALIO request which will only ever use > * filehandle/credential pair for which access has been affirmed (by > * ACCESS or OPEN NFS requests) over the wire. So there is no need for > * further checks here. > */ Makes sense, and thanks! > (It wasn't quite this clear to me when I wrote previously - but I always > seems to think more clearly in the mornings!) I haven't been sleeping enough.. tonight, tonight I will!!! ;) Mike
