On 01/09/2018 02:23 PM, J. Bruce Fields wrote:
On Tue, Jan 09, 2018 at 10:11:05AM -0500, Tamas Vincze wrote:
The exports man page says that one can vary ro/rw based on security
flavor by including multiple sec= options in /etc/exports, but it
seems to be broken in nfs-utils-1.3.0-0.48.el7_4.
For example this /etc/exports:
/export/pub 10.13.0.0/16(sec=sys,ro,sec=krb5i:krb5p,rw)
results in this /var/lib/nfs/etab:
/export/pub 10.13.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash,sec=krb5i:krb5p,secure,root_squash,no_all_squash)
Only the rw option is present in etab, that applies to both sec=sys
and sec=krb5i:krb5p.
Is this bug specific to redhat or also present upstream?
I don't know off the top of my head.... Is there a redhat bug filed?
I filed one today: https://bugzilla.redhat.com/show_bug.cgi?id=1532688
It has no duplicates so far...
And is there some prevoius version that you know worked?
I don't know, I haven't used this feature before.
Agreed that it looks like a bug.
--b.
And it can have some security implications if people have been relying
on it and it quietly broke (sec=sys is basically no security these
days). I see this feature has been around for more than a decade so
there's a good chance that it's in use.
-Tamas
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
