[PATCH] nfsd: allow secinfo to bypass gss checks

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] nfsd: allow secinfo to bypass gss checks
@ 2011-06-30 18:47 J. Bruce Fields
  0 siblings, 0 replies; only message in thread
From: J. Bruce Fields @ 2011-06-30 18:47 UTC (permalink / raw)
  To: linux-nfs

Also planning to queue this up for 3.1....  Objections?

commit ea53eb9a87848610f1a2465881d8ef6ab6c62c59
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Wed Jun 29 18:33:11 2011 -0400

    nfsd: allow secinfo to bypass gss checks
    
    PUTFH+SECINFO should succeed and return a security list even when using
    an authentication flavor not permitted on the given filehandle.
    
    There's the risk of a small information leak here: as part of the
    SECINFO, we have to do a lookup.  If that lookup fails, we return the
    error from that lookup instead of a secinfo list.  That allows an
    unprivileged user to answer the question "does a file named $x exist in
    directory $d" by guessing a filehandle for $d and then sending a secinfo
    request for $x and seeing whether or not they get NFS4ERR_NOENT.
    
    To avoid that, we return secinfo for the parent in the NOENT case.
    
    Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 96b6929..4f9c90b 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -762,19 +762,34 @@ nfsd4_secinfo(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 	__be32 err;
 
 	fh_init(&resfh, NFS4_FHSIZE);
-	err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR, NFSD_MAY_EXEC);
+	err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR,
+					NFSD_MAY_EXEC|NFSD_MAY_BYPASS_GSS);
 	if (err)
 		return err;
+	/*
+	 * XXX: arguably we should do this with elevated privileges, to
+	 * ensure consistent results regardless of the cred used by the
+	 * client:
+	 */
 	err = nfsd_lookup_dentry(rqstp, &cstate->current_fh,
 				    secinfo->si_name, secinfo->si_namelen,
 				    &exp, &dentry);
 	if (err)
 		return err;
 	if (dentry->d_inode == NULL) {
+		/*
+		 * An nfserr_noent return would tell the rpc caller
+		 * (who may be unprivileged) that a file by that name
+		 * does not exist in this directory.  That may be
+		 * information we don't want to give out.  So return
+		 * secinfo list for the parent in that case instead of
+		 * failing here.
+		 */
 		exp_put(exp);
-		err = nfserr_noent;
-	} else
-		secinfo->si_exp = exp;
+		exp = cstate->current_fh.fh_export;
+		exp_get(exp);
+	}
+	secinfo->si_exp = exp;
 	dput(dentry);
 	if (cstate->minorversion)
 		/* See rfc 5661 section 2.6.3.1.1.8 */

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2011-06-30 18:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-30 18:47 [PATCH] nfsd: allow secinfo to bypass gss checks J. Bruce Fields

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.