RE: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?

From: Mike Eisler (mike@eisler.com)
Date: 12/20/04-03:51:11 PM Z

• Next message: Mike Eisler: "Re: [nfsv4] NFS4ERR_CLID_INUSEwhen SetClientID changesauthenticationmechanisms"
• Previous message: Christopher T Vogan: "[nfsv4] Chris Vogan is out of the office from dec 20th - 28th."
• Maybe in reply to: Haynes, Tom: "[nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?"

Message-ID: <41C7494F.8060509@eisler.com>
Date: Mon, 20 Dec 2004 13:51:11 -0800
From: Mike Eisler <mike@eisler.com>
Subject: RE: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?

 > -----Original Message-----
 > From: Haynes, Tom
 > Sent: Thursday, December 16, 2004 2:24 PM
 > To: nfsv4@ietf.org
 > Subject: [nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?

Because it got _WRONGSEC there's no way, short of trial
and error, to find the right security.

 >
 >
 > DESCRIPTION
 >
 >    The SECINFO operation is used by the client to obtain a
 > list of valid
 >    RPC authentication flavors for a specific directory
 > filehandle, file
 >    name pair.  SECINFO should apply the same access
 > methodology used for
 >    LOOKUP when evaluating the name.  Therefore, if the requester does
 >    not have the appropriate access to LOOKUP the name then
 > SECINFO must
 >    behave the same way and return NFS4ERR_ACCESS.
 >
 > If a client sends a SECINFO request for a file handle and the
 > underlying
 > security flavor for the request does not meet the exported flavors,
 > then the only option is to return NFS4ERR_ACCESS instead of
 > NFS4ERR_WRONGSEC.

"access" here applies primarily to whether the permission bits/ACL
checks pass.

 > But, this is incomplete information.  The issue wasn't that the client
 > could not get access, just that we could not determine it with the
 > current flavor.  Or do client implementations, when they get
 > NFS4ERR_ACCESS
 > on SECINFO, then start trying other underlying security flavors?
 >
 > A forgiving server could say, ahh, what the hey, here is the SECINFO.
 > But, I take *must* as saying the server can not be forgiving.

The client has a directory file handle and obtained that file handle
using some flavor I'll call X. Thus security flavor X should
be sufficient to perform a SECINFO using that file handle.

In other words, while the security flavor required to do a LOOKUP is
not the same as the security flavor required to do a SECINFO,
the access rights, as a described by the ACL required for
LOOKUP and SECINFO are the same. If the directory search right is
denied, then so is SECINFO.

 >
 > --
 > Tom Haynes, ex-cfb
 > thomas@netapp.com
 >
 > _______________________________________________
 > nfsv4 mailing list
 > nfsv4@ietf.org
 > https://www1.ietf.org/mailman/listinfo/nfsv4
 >


_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4

• Next message: Mike Eisler: "Re: [nfsv4] NFS4ERR_CLID_INUSEwhen SetClientID changesauthenticationmechanisms"
• Previous message: Christopher T Vogan: "[nfsv4] Chris Vogan is out of the office from dec 20th - 28th."
• Maybe in reply to: Haynes, Tom: "[nfsv4] Why can't SECINFO return NFS4ERR_WRONGSEC?"

This archive was generated by hypermail 2.1.2 : 03/04/05-02:13:49 AM Z CST