From: "J. Bruce Fields" <bfields@fieldses.org>
To: linux-nfs@vger.kernel.org
Subject: [PATCH] nfsd: allow secinfo to bypass gss checks
Date: Thu, 30 Jun 2011 14:47:04 -0400 [thread overview]
Message-ID: <20110630184704.GD18713@fieldses.org> (raw)
Also planning to queue this up for 3.1.... Objections?
commit ea53eb9a87848610f1a2465881d8ef6ab6c62c59
Author: J. Bruce Fields <bfields@redhat.com>
Date: Wed Jun 29 18:33:11 2011 -0400
nfsd: allow secinfo to bypass gss checks
PUTFH+SECINFO should succeed and return a security list even when using
an authentication flavor not permitted on the given filehandle.
There's the risk of a small information leak here: as part of the
SECINFO, we have to do a lookup. If that lookup fails, we return the
error from that lookup instead of a secinfo list. That allows an
unprivileged user to answer the question "does a file named $x exist in
directory $d" by guessing a filehandle for $d and then sending a secinfo
request for $x and seeing whether or not they get NFS4ERR_NOENT.
To avoid that, we return secinfo for the parent in the NOENT case.
Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 96b6929..4f9c90b 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -762,19 +762,34 @@ nfsd4_secinfo(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
__be32 err;
fh_init(&resfh, NFS4_FHSIZE);
- err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR, NFSD_MAY_EXEC);
+ err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR,
+ NFSD_MAY_EXEC|NFSD_MAY_BYPASS_GSS);
if (err)
return err;
+ /*
+ * XXX: arguably we should do this with elevated privileges, to
+ * ensure consistent results regardless of the cred used by the
+ * client:
+ */
err = nfsd_lookup_dentry(rqstp, &cstate->current_fh,
secinfo->si_name, secinfo->si_namelen,
&exp, &dentry);
if (err)
return err;
if (dentry->d_inode == NULL) {
+ /*
+ * An nfserr_noent return would tell the rpc caller
+ * (who may be unprivileged) that a file by that name
+ * does not exist in this directory. That may be
+ * information we don't want to give out. So return
+ * secinfo list for the parent in that case instead of
+ * failing here.
+ */
exp_put(exp);
- err = nfserr_noent;
- } else
- secinfo->si_exp = exp;
+ exp = cstate->current_fh.fh_export;
+ exp_get(exp);
+ }
+ secinfo->si_exp = exp;
dput(dentry);
if (cstate->minorversion)
/* See rfc 5661 section 2.6.3.1.1.8 */
reply other threads:[~2011-06-30 18:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110630184704.GD18713@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.