Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9091224f3cff4721f295df29e8a99705a63bc4c7
Commit:     9091224f3cff4721f295df29e8a99705a63bc4c7
Parent:     4796f45740bc6f2e3e6cc14e7ed481b38bd0bd39
Author:     J. Bruce Fields <[EMAIL PROTECTED]>
AuthorDate: Tue Jul 17 04:04:52 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Tue Jul 17 10:23:08 2007 -0700

    knfsd: nfsd: allow auth_sys nlm on rpcsec_gss exports
    
    Our clients (like other clients, as far as I know) use only auth_sys for 
nlm,
    even when using rpcsec_gss for the main nfs operations.
    
    Administrators that want to deny non-kerberos-authenticated locking requests
    will need to turn off NFS protocol versions less than 4....
    
    Signed-off-by: "J. Bruce Fields" <[EMAIL PROTECTED]>
    Signed-off-by: Neil Brown <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
---
 fs/nfsd/nfsfh.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 8d2b499..0eb464a 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -249,10 +249,16 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int 
type, int access)
        if (error)
                goto out;
 
-       /* Check security flavor */
-       error = check_nfsd_access(exp, rqstp);
-       if (error)
-               goto out;
+       if (!(access & MAY_LOCK)) {
+               /*
+                * pseudoflavor restrictions are not enforced on NLM,
+                * which clients virtually always use auth_sys for,
+                * even while using RPCSEC_GSS for NFS.
+                */
+               error = check_nfsd_access(exp, rqstp);
+               if (error)
+                       goto out;
+       }
 
        /* Finally, check access permissions. */
        error = nfsd_permission(rqstp, exp, dentry, access);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to