From owner-freebsd-fs@FreeBSD.ORG  Thu May 24 11:47:04 2012
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AAA731065891
	for <freebsd-fs@freebsd.org>; Thu, 24 May 2012 11:47:04 +0000 (UTC)
	(envelope-from simon@comsys.ntu-kpi.kiev.ua)
Received: from comsys.kpi.ua (comsys.kpi.ua [77.47.192.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 5C4508FC19
	for <freebsd-fs@freebsd.org>; Thu, 24 May 2012 11:47:04 +0000 (UTC)
Received: from pm513-1.comsys.kpi.ua ([10.18.52.101]
	helo=pm513-1.comsys.ntu-kpi.kiev.ua)
	by comsys.kpi.ua with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63)
	(envelope-from <simon@comsys.ntu-kpi.kiev.ua>) id 1SXWVS-0000zB-Ng
	for freebsd-fs@freebsd.org; Thu, 24 May 2012 14:47:02 +0300
Received: by pm513-1.comsys.ntu-kpi.kiev.ua (Postfix, from userid 1001)
	id 38D2A1CC34; Thu, 24 May 2012 14:47:03 +0300 (EEST)
Date: Thu, 24 May 2012 14:47:02 +0300
From: Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
To: freebsd-fs@freebsd.org
Message-ID: <20120524114702.GA38087@pm513-1.comsys.ntu-kpi.kiev.ua>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Authenticated-User: simon@comsys.ntu-kpi.kiev.ua
X-Authenticator: plain
X-Sender-Verify: SUCCEEDED (sender exists & accepts mail)
X-Exim-Version: 4.63 (build at 28-Apr-2011 07:11:12)
X-Date: 2012-05-24 14:47:02
X-Connected-IP: 10.18.52.101:42209
X-Message-Linecount: 30
X-Body-Linecount: 18
X-Message-Size: 1246
X-Body-Size: 745
Subject: NLM uses AUTH_SYS ignoring sec option in mount_nfs
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2012 11:47:04 -0000

Hello,

Looks like that NLM always uses AUTH_SYS even if a client specified
another security flavor in the mount_nfs's "sec" option.  Also NLM
on the server does not verify that NLM client's security flavor
is allowed by NFS exported file system, security flavors array from
VFS_CHECKEXP() is ignored in nlm/nlm_prot_impl.c:nlm_get_vfs_state().

Such behaviour of NLM I see on 10-CURRENT, I added log messages to
the kernel to see security flavors used by NFSv3 and NLM requests.
Both NFS client and server are on the same system, NFSv3 mounts are
from unprivileged users.

According to [1] NLMv4 allows to use different security flavors.

Can somebody comment such behaviour of NLM?

[1] http://pubs.opengroup.org/onlinepubs/9629799/chap14.htm