From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@osdl.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH 006 of 14] knfsd: nfsd: call nfsd_setuser() on fh_compose(), fix nfsd4 permissions problem
Date: Tue, 27 Jun 2006 17:20:07 +1000 [thread overview]
Message-ID: <1060627072007.26660@suse.de> (raw)
In-Reply-To: 20060627171533.26405.patches@notabene
From: J. Bruce Fields <bfields@citi.umich.edu>
In the typical v2/v3 case the only new filehandles used as arguments to
operations are filehandles taken directly off the wire, which don't get
dentries until fh_verify() is called.
But in v4 the filehandles that are arguments to operations were often
created by previous operations (putrootfh, lookup, etc.) using
fh_compose, which sets the dentry in the filehandle without calling
nfsd_setuser().
This also means that, for example, if filesystem B is mounted on filesystem
A, and filesystem A is exported without root-squashing, then a client can
bypass the rootsquashing on B using a compound that starts at a filehandle
in A, crosses into B using lookups, and then does stuff in B.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
### Diffstat output
./fs/nfsd/nfsfh.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff .prev/fs/nfsd/nfsfh.c ./fs/nfsd/nfsfh.c
--- .prev/fs/nfsd/nfsfh.c 2006-06-27 12:16:27.000000000 +1000
+++ ./fs/nfsd/nfsfh.c 2006-06-27 14:41:52.000000000 +1000
@@ -187,13 +187,6 @@ fh_verify(struct svc_rqst *rqstp, struct
goto out;
}
- /* Set user creds for this exportpoint */
- error = nfsd_setuser(rqstp, exp);
- if (error) {
- error = nfserrno(error);
- goto out;
- }
-
/*
* Look up the dentry using the NFS file handle.
*/
@@ -251,6 +244,14 @@ fh_verify(struct svc_rqst *rqstp, struct
}
cache_get(&exp->h);
+ /* Set user creds for this exportpoint; necessary even in the "just
+ * checking" case because this may be a filehandle that was created by
+ * fh_compose, and that is about to be used in another nfsv4 compound
+ * operation */
+ error = nfserrno(nfsd_setuser(rqstp, exp));
+ if (error)
+ goto out;
+
error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type);
if (error)
goto out;
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
WARNING: multiple messages have this Message-ID (diff)
From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@osdl.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH 006 of 14] knfsd: nfsd: call nfsd_setuser() on fh_compose(), fix nfsd4 permissions problem
Date: Tue, 27 Jun 2006 17:20:07 +1000 [thread overview]
Message-ID: <1060627072007.26660@suse.de> (raw)
In-Reply-To: 20060627171533.26405.patches@notabene
From: J. Bruce Fields <bfields@citi.umich.edu>
In the typical v2/v3 case the only new filehandles used as arguments to
operations are filehandles taken directly off the wire, which don't get
dentries until fh_verify() is called.
But in v4 the filehandles that are arguments to operations were often
created by previous operations (putrootfh, lookup, etc.) using
fh_compose, which sets the dentry in the filehandle without calling
nfsd_setuser().
This also means that, for example, if filesystem B is mounted on filesystem
A, and filesystem A is exported without root-squashing, then a client can
bypass the rootsquashing on B using a compound that starts at a filehandle
in A, crosses into B using lookups, and then does stuff in B.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
### Diffstat output
./fs/nfsd/nfsfh.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff .prev/fs/nfsd/nfsfh.c ./fs/nfsd/nfsfh.c
--- .prev/fs/nfsd/nfsfh.c 2006-06-27 12:16:27.000000000 +1000
+++ ./fs/nfsd/nfsfh.c 2006-06-27 14:41:52.000000000 +1000
@@ -187,13 +187,6 @@ fh_verify(struct svc_rqst *rqstp, struct
goto out;
}
- /* Set user creds for this exportpoint */
- error = nfsd_setuser(rqstp, exp);
- if (error) {
- error = nfserrno(error);
- goto out;
- }
-
/*
* Look up the dentry using the NFS file handle.
*/
@@ -251,6 +244,14 @@ fh_verify(struct svc_rqst *rqstp, struct
}
cache_get(&exp->h);
+ /* Set user creds for this exportpoint; necessary even in the "just
+ * checking" case because this may be a filehandle that was created by
+ * fh_compose, and that is about to be used in another nfsv4 compound
+ * operation */
+ error = nfserrno(nfsd_setuser(rqstp, exp));
+ if (error)
+ goto out;
+
error = nfsd_mode_check(rqstp, dentry->d_inode->i_mode, type);
if (error)
goto out;
next prev parent reply other threads:[~2006-06-27 7:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-27 7:19 [PATCH 000 of 14] knfsd: Introduction NeilBrown
2006-06-27 7:19 ` NeilBrown
2006-06-27 7:19 ` [PATCH 001 of 14] knfsd: Improve the test for cross-device-rename in nfsd NeilBrown
2006-06-27 7:19 ` NeilBrown
2006-06-27 7:19 ` [PATCH 002 of 14] knfsd: Fixing missing 'expkey' support for fsid type 3 NeilBrown
2006-06-27 7:19 ` NeilBrown
2006-06-27 7:19 ` [PATCH 003 of 14] knfsd: Remove noise about filehandle being uptodate NeilBrown
2006-06-27 7:19 ` NeilBrown
2006-06-27 7:19 ` [PATCH 004 of 14] knfsd: Ignore ref_fh when crossing a mountpoint NeilBrown
2006-06-27 7:19 ` NeilBrown
2006-06-27 7:20 ` [PATCH 005 of 14] knfsd: nfsd4: fix open_confirm locking NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` NeilBrown [this message]
2006-06-27 7:20 ` [PATCH 006 of 14] knfsd: nfsd: call nfsd_setuser() on fh_compose(), fix nfsd4 permissions problem NeilBrown
2006-06-27 7:20 ` [PATCH 007 of 14] knfsd: nfsd4: remove superfluous grace period checks NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 008 of 14] knfsd: nfsd: fix misplaced fh_unlock() in nfsd_link() NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 009 of 14] knfsd: svcrpc: gss: simplify rsc_parse() NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 010 of 14] knfsd: nfsd4: fix some open argument tests NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 011 of 14] knfsd: nfsd4: fix open flag passing NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 012 of 14] knfsd: svcrpc: Simplify nfsd rpcsec_gss integrity code NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 013 of 14] knfsd: nfsd: mark rqstp to prevent use of sendfile in privacy case NeilBrown
2006-06-27 7:20 ` NeilBrown
2006-06-27 7:20 ` [PATCH 014 of 14] knfsd: svcrpc: gss: server-side implementation of rpcsec_gss privacy NeilBrown
2006-06-27 7:20 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1060627072007.26660@suse.de \
--to=neilb@suse.de \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nfs@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.