• J. Bruce Fields's avatar
    nfsd: permit unauthenticated stat of export root · 04716e66
    J. Bruce Fields authored
    RFC 2623 section 2.3.2 permits the server to bypass gss authentication
    checks for certain operations that a client may perform when mounting.
    In the case of a client that doesn't have some form of credentials
    available to it on boot, this allows it to perform the mount unattended.
    (Presumably real file access won't be needed until a user with
    credentials logs in.)
    
    Being slightly more lenient allows lots of old clients to access
    krb5-only exports, with the only loss being a small amount of
    information leaked about the root directory of the export.
    
    This affects only v2 and v3; v4 still requires authentication for all
    access.
    
    Thanks to Peter Staubach testing against a Solaris client, which
    suggesting addition of v3 getattr, to the list, and to Trond for noting
    that doing so exposes no additional information.
    Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
    Cc: Peter Staubach <staubach@redhat.com>
    Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
    04716e66
nfsd.h 13.9 KB