Re: regarding support of NFS versions

[Reinoud Zandijk <reinoud%NetBSD.org@localhost>]

On Fri, Apr 24, 2026 at 10:41:21PM +0200, Edgar Fuß wrote:
> > The major reason I can think of offhand is that that's the easiest way 
> > to get permissions checking properly enforced.
> [...]
> > userland server running as root could probably do the job.
> What I was thinking of was running a per-login worker process under the 
> credentials of the logged in user. That way, the kernel itself would enforce 
> the permissions (as it would for any other userland process) so I get no more 
> security holes than those I already might have.

That sounds like a good idea; it also means that being able to serve any
server side FS without specialist hooks for each of them since all access to
them is done in userland thus also allowing cross server side mount points.

On the client side, authorisation can be done in the mount_nfs(8) and its
cookie/secret passed to the kernel; no idea on what encryption can/ought then
be in the kernel and no idea how this ought to work for NFS as root though!
Maybe Kerberos encryption/decription kernel modules can be made that
load/unload automatically?

With regards,
Reinoud