On Tue, 2012-05-29 at 11:55 -0400, Steve Dickson wrote:
>
> On 05/29/2012 11:00 AM, Trond Myklebust wrote:
> > On Tue, 2012-05-29 at 09:07 -0400, Steve Dickson wrote:
> >> If root squashing is turned off on a export that
> >> has multiple directories, the parent directories
> >> of the pseudo exports that's built, also needs to
> >> have root squashing turned off.
> >>
> >> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
> >> ---
> >> utils/mountd/v4root.c | 9 ++++++++-
> >> 1 files changed, 8 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> >> index 708eb61..ad8a3e7 100644
> >> --- a/utils/mountd/v4root.c
> >> +++ b/utils/mountd/v4root.c
> >> @@ -92,7 +92,14 @@ v4root_create(char *path, nfs_export *export)
> >> exp = export_create(&eep, 0);
> >> if (exp == NULL)
> >> return NULL;
> >> - xlog(D_CALL, "v4root_create: path '%s'", exp->m_export.e_path);
> >> + /*
> >> + * Honor the no_root_squash flag
> >> + */
> >> + if ((curexp->e_flags & NFSEXP_ROOTSQUASH) == 0)
> >> + exp->m_export.e_flags &= ~NFSEXP_ROOTSQUASH;
> >> + xlog(D_CALL, "v4root_create: path '%s' flags 0x%x",
> >> + exp->m_export.e_path, exp->m_export.e_flags);
> >> +
> >> return &exp->m_export;
> >> }
> >
> >
> > As long as the user is authenticated, why do we care whether or not they
> > are squashed to user 'nobody' for authorisation purposes? There
> > shouldn't be any permission checks enforced on the pseudo-root, should
> > there?
> >
> The access checks come during the lookup of the pseudo-root.
>
> For example
> /home/steved/work *(rw,no_root_squash)
>
> This is the export which causes mountd builds the pseudo-roots of
> '/', '/home', and '/home/steved'
>
> Now if the no_root_squash is not set on those pseudo-roots the
> access bits returned by server will cause the lookup of
> /home/steved/work to fail.
If '/', '/home' and '/home/steved' aren't exported directories, then how
can they have properties such as acls? I thought the whole point of the
pseudo-filesystem was to just provide a namespace that bridges between
actual exported filesystems.
As long as I'm authenticated (i.e. my RPC credential matches the 'sec='
line in /etc/exports), then why shouldn't I be able to 'cd'
into /home/steved and run an 'ls'?
Cheers
Trond
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
