On Fri, Jan 22, 2016 at 11:09:15AM -0500, Andrew W Elble wrote: > > > By the way, is the only problem is that the client is trying to do > > krb5i/krb5p on an export exported only with sec=sys or sec=krb5? > > Barring anything else I missed, yes. > > > So for example we could allow krb5i/krb5p on any compound containing an > > so_must_allow op? > > This was roughly my reasoning/question... Right, so I guess I've convinced myself to stop worrying as much about whether your nfsd4_spo_must_allow allows too much. In fact I wonder if it'd be simpler just to skip the OP_IS_PUTFH_LIKE checks and just set spo_must_allowed on any compound with any must_allow op in it. At worst we've allowed use of krb5p/krb5i for a few ops on filesystems that don't allow those, but who cares. It doesn't bypass filesystem permission checks on operations that do permission checks, and you still might consider removing that fh_verify from DELEGRETURN in a separate patch. And the client may still have some trouble with filesystems that do permission checks on GETATTR. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
