On Tue, 2012-05-29 at 11:55 -0400, Steve Dickson wrote: > > On 05/29/2012 11:00 AM, Trond Myklebust wrote: > > On Tue, 2012-05-29 at 09:07 -0400, Steve Dickson wrote: > >> If root squashing is turned off on a export that > >> has multiple directories, the parent directories > >> of the pseudo exports that's built, also needs to > >> have root squashing turned off. > >> > >> Signed-off-by: Steve Dickson <steved@xxxxxxxxxx> > >> --- > >> utils/mountd/v4root.c | 9 ++++++++- > >> 1 files changed, 8 insertions(+), 1 deletions(-) > >> > >> diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c > >> index 708eb61..ad8a3e7 100644 > >> --- a/utils/mountd/v4root.c > >> +++ b/utils/mountd/v4root.c > >> @@ -92,7 +92,14 @@ v4root_create(char *path, nfs_export *export) > >> exp = export_create(&eep, 0); > >> if (exp == NULL) > >> return NULL; > >> - xlog(D_CALL, "v4root_create: path '%s'", exp->m_export.e_path); > >> + /* > >> + * Honor the no_root_squash flag > >> + */ > >> + if ((curexp->e_flags & NFSEXP_ROOTSQUASH) == 0) > >> + exp->m_export.e_flags &= ~NFSEXP_ROOTSQUASH; > >> + xlog(D_CALL, "v4root_create: path '%s' flags 0x%x", > >> + exp->m_export.e_path, exp->m_export.e_flags); > >> + > >> return &exp->m_export; > >> } > > > > > > As long as the user is authenticated, why do we care whether or not they > > are squashed to user 'nobody' for authorisation purposes? There > > shouldn't be any permission checks enforced on the pseudo-root, should > > there? > > > The access checks come during the lookup of the pseudo-root. > > For example > /home/steved/work *(rw,no_root_squash) > > This is the export which causes mountd builds the pseudo-roots of > '/', '/home', and '/home/steved' > > Now if the no_root_squash is not set on those pseudo-roots the > access bits returned by server will cause the lookup of > /home/steved/work to fail. If '/', '/home' and '/home/steved' aren't exported directories, then how can they have properties such as acls? I thought the whole point of the pseudo-filesystem was to just provide a namespace that bridges between actual exported filesystems. As long as I'm authenticated (i.e. my RPC credential matches the 'sec=' line in /etc/exports), then why shouldn't I be able to 'cd' into /home/steved and run an 'ls'? Cheers Trond -- Trond Myklebust Linux NFS client maintainer NetApp Trond.Myklebust@xxxxxxxxxx www.netapp.com ��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥