From: "Myles Uyema" Subject: Re: 'noacl' NFS parameter seems ineffective (Fedora Core 7) Date: Thu, 5 Jul 2007 14:39:34 -0700 Message-ID: References: <468D6064.3080307@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0445328718==" Cc: nfs@lists.sourceforge.net To: "Peter Staubach" Return-path: Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.92] helo=mail.sourceforge.net) by sc8-sf-list2-new.sourceforge.net with esmtp (Exim 4.43) id 1I6Z31-0002HV-7k for nfs@lists.sourceforge.net; Thu, 05 Jul 2007 14:39:35 -0700 Received: from ug-out-1314.google.com ([66.249.92.168]) by mail.sourceforge.net with esmtp (Exim 4.44) id 1I6Z32-0003l4-Ko for nfs@lists.sourceforge.net; Thu, 05 Jul 2007 14:39:38 -0700 Received: by ug-out-1314.google.com with SMTP id m2so602883uge for ; Thu, 05 Jul 2007 14:39:35 -0700 (PDT) In-Reply-To: <468D6064.3080307@redhat.com> List-Id: "Discussion of NFS under Linux development, interoperability, and testing." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: nfs-bounces@lists.sourceforge.net Errors-To: nfs-bounces@lists.sourceforge.net --===============0445328718== Content-Type: multipart/alternative; boundary="----=_Part_137195_3740438.1183671574802" ------=_Part_137195_3740438.1183671574802 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks for the clarification. I don't suppose there's an option to do what I've described? Rather - assume that there is no acl, no uid mapping/translation on the server side? On 7/5/07, Peter Staubach wrote: > > Myles Uyema wrote: > > If I understand the explanation of the 'noacl' parameter, it should > > prevent ACCESS calls right? I'm not seeing this occurring on Fedora > > Core 7 (2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64 > > x86_64 x86_64 GNU/Linux) > > > > I mounted using tcp,noacl,rsize=32768,wsize=32768. The NFS server is > > a NetApp filer running 7.2.1.1 , and is a unix-only > > filesystem. > > > > Then I ran a script to 'dd' 286 files on the NFS mountpoint. The > > script ran as UID 48. > > 340 reads > > 286 getattr > > 286 access > > > > The nfsstat showed my client still performing ACCESS calls. I'd like > > to believe that the GETATTR has already verified the permission bits, > > and thus an ACCESS shouldn't be necessary. > > Actually, all that the "noacl" mount option means is to not attempt > to get or set or ACLs on the server. It does not affect the security > checking that the client does to verify access. > > The permission bits are not enough to determine access permissions. > Root mapping on the server is an easy example of this. Therefore, > the client always goes over the wire to query the server for the > permissions that it will allow. > > Thanx... > > ps > ------=_Part_137195_3740438.1183671574802 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks for the clarification.  I don't suppose there's an option to do what I've described?  Rather - assume that there is no acl, no uid mapping/translation on the server side?

On 7/5/07, Peter Staubach <staubach@redhat.com> wrote:
Myles Uyema wrote:
> If I understand the explanation of the 'noacl' parameter, it should
> prevent ACCESS calls right?  I'm not seeing this occurring on Fedora
> Core 7 (2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64
> x86_64 x86_64 GNU/Linux)
>
> I mounted using tcp,noacl,rsize=32768,wsize=32768.  The NFS server is
> a NetApp filer running 7.2.1.1 <http://7.2.1.1 >, and is a unix-only
> filesystem.
>
> Then I ran a script to 'dd' 286 files on the NFS mountpoint.  The
> script ran as UID 48.
> 340 reads
> 286 getattr
> 286 access
>
> The nfsstat showed my client still performing ACCESS calls.  I'd like
> to believe that the GETATTR has already verified the permission bits,
> and thus an ACCESS shouldn't be necessary.

Actually, all that the "noacl" mount option means is to not attempt
to get or set or ACLs on the server.  It does not affect the security
checking that the client does to verify access.

The permission bits are not enough to determine access permissions.
Root mapping on the server is an easy example of this.  Therefore,
the client always goes over the wire to query the server for the
permissions that it will allow.

    Thanx...

       ps

------=_Part_137195_3740438.1183671574802-- --===============0445328718== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ --===============0445328718== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs --===============0445328718==--