From: Peter Staubach <staubach@redhat.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH] nfsd: permit unauthenticated stat of export root
Date: Thu, 07 Aug 2008 14:23:40 -0400 [thread overview]
Message-ID: <489B3DAC.5060004@redhat.com> (raw)
In-Reply-To: <20080807181148.GK18904@fieldses.org>
J. Bruce Fields wrote:
> From: J. Bruce Fields <bfields@citi.umich.edu>
>
> RFC 2623 section 2.3.2 permits the server to bypass gss authentication
> checks for certain operations that a client may perform when mounting.
> In the case of a client that doesn't have some form of credentials
> available to it on boot, this allows it to perform the mount unattended.
> (Presumably real file access won't be needed until a user with
> credentials logs in.)
>
> Being slightly more lenient allows lots of old clients to access
> krb5-only exports, with the only loss being a small amount of
> information leaked about the root directory of the export.
>
> This affects on v2 and v3; v4 still requires authentication for all
> access.
>
> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
> ---
> fs/nfsd/nfs3proc.c | 5 +++--
> fs/nfsd/nfsfh.c | 30 ++++++++++++++++++++----------
> fs/nfsd/nfsproc.c | 6 ++++--
> fs/nfsd/vfs.c | 4 ++--
> include/linux/nfsd/nfsd.h | 3 ++-
> 5 files changed, 31 insertions(+), 17 deletions(-)
>
> I intend to submit this for 2.6.28
>
> diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
> index 4d617ea..1419142 100644
> --- a/fs/nfsd/nfs3proc.c
> +++ b/fs/nfsd/nfs3proc.c
> @@ -530,7 +530,7 @@ nfsd3_proc_fsstat(struct svc_rqst * rqstp, struct nfsd_fhandle *argp,
> dprintk("nfsd: FSSTAT(3) %s\n",
> SVCFH_fmt(&argp->fh));
>
> - nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats);
> + nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats, 0);
> fh_put(&argp->fh);
> RETURN_STATUS(nfserr);
> }
> @@ -558,7 +558,8 @@ nfsd3_proc_fsinfo(struct svc_rqst * rqstp, struct nfsd_fhandle *argp,
> resp->f_maxfilesize = ~(u32) 0;
> resp->f_properties = NFS3_FSF_DEFAULT;
>
> - nfserr = fh_verify(rqstp, &argp->fh, 0, NFSD_MAY_NOP);
> + nfserr = fh_verify(rqstp, &argp->fh, 0,
> + NFSD_MAY_NOP | NFSD_MAY_BYPASS_GSS_ON_ROOT);
>
> /* Check special features of the file system. May request
> * different read/write sizes for file systems known to have
>
I would think that you might want to have nfsd3_proc_getattr()
in this list too. Some clients may need to generate a GETATTR
if they need the attributes for the root node.
ps
> diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
> index f45451e..7c6847e 100644
> --- a/fs/nfsd/nfsfh.c
> +++ b/fs/nfsd/nfsfh.c
> @@ -302,17 +302,27 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
> if (error)
> goto out;
>
> - if (!(access & NFSD_MAY_LOCK)) {
> - /*
> - * pseudoflavor restrictions are not enforced on NLM,
> - * which clients virtually always use auth_sys for,
> - * even while using RPCSEC_GSS for NFS.
> - */
> - error = check_nfsd_access(exp, rqstp);
> - if (error)
> - goto out;
> - }
> + /*
> + * pseudoflavor restrictions are not enforced on NLM,
> + * which clients virtually always use auth_sys for,
> + * even while using RPCSEC_GSS for NFS.
> + */
> + if (access & NFSD_MAY_LOCK)
> + goto skip_pseudoflavor_check;
> + /*
> + * Clients may expect to be able to use auth_sys during mount,
> + * even if they use gss for everything else; see section 2.3.2
> + * of rfc 2623.
> + */
> + if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT
> + && exp->ex_path.dentry == dentry)
> + goto skip_pseudoflavor_check;
> +
> + error = check_nfsd_access(exp, rqstp);
> + if (error)
> + goto out;
>
> +skip_pseudoflavor_check:
> /* Finally, check access permissions. */
> error = nfsd_permission(rqstp, exp, dentry, access);
>
> diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
> index 0766f95..5cffeca 100644
> --- a/fs/nfsd/nfsproc.c
> +++ b/fs/nfsd/nfsproc.c
> @@ -65,7 +65,8 @@ nfsd_proc_getattr(struct svc_rqst *rqstp, struct nfsd_fhandle *argp,
> dprintk("nfsd: GETATTR %s\n", SVCFH_fmt(&argp->fh));
>
> fh_copy(&resp->fh, &argp->fh);
> - nfserr = fh_verify(rqstp, &resp->fh, 0, NFSD_MAY_NOP);
> + nfserr = fh_verify(rqstp, &resp->fh, 0,
> + NFSD_MAY_NOP | NFSD_MAY_BYPASS_GSS_ON_ROOT);
> return nfsd_return_attrs(nfserr, resp);
> }
>
> @@ -521,7 +522,8 @@ nfsd_proc_statfs(struct svc_rqst * rqstp, struct nfsd_fhandle *argp,
>
> dprintk("nfsd: STATFS %s\n", SVCFH_fmt(&argp->fh));
>
> - nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats);
> + nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats,
> + NFSD_MAY_BYPASS_GSS_ON_ROOT);
> fh_put(&argp->fh);
> return nfserr;
> }
> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
> index 0f4481e..f51bdf6 100644
> --- a/fs/nfsd/vfs.c
> +++ b/fs/nfsd/vfs.c
> @@ -1872,9 +1872,9 @@ out:
> * N.B. After this call fhp needs an fh_put
> */
> __be32
> -nfsd_statfs(struct svc_rqst *rqstp, struct svc_fh *fhp, struct kstatfs *stat)
> +nfsd_statfs(struct svc_rqst *rqstp, struct svc_fh *fhp, struct kstatfs *stat, int access)
> {
> - __be32 err = fh_verify(rqstp, fhp, 0, NFSD_MAY_NOP);
> + __be32 err = fh_verify(rqstp, fhp, 0, NFSD_MAY_NOP | access);
> if (!err && vfs_statfs(fhp->fh_dentry,stat))
> err = nfserr_io;
> return err;
> diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h
> index a2861d9..47bea82 100644
> --- a/include/linux/nfsd/nfsd.h
> +++ b/include/linux/nfsd/nfsd.h
> @@ -39,6 +39,7 @@
> #define NFSD_MAY_LOCK 32
> #define NFSD_MAY_OWNER_OVERRIDE 64
> #define NFSD_MAY_LOCAL_ACCESS 128 /* IRIX doing local access check on device special file*/
> +#define NFSD_MAY_BYPASS_GSS_ON_ROOT 256
>
> #define NFSD_MAY_CREATE (NFSD_MAY_EXEC|NFSD_MAY_WRITE)
> #define NFSD_MAY_REMOVE (NFSD_MAY_EXEC|NFSD_MAY_WRITE|NFSD_MAY_TRUNC)
> @@ -126,7 +127,7 @@ int nfsd_truncate(struct svc_rqst *, struct svc_fh *,
> __be32 nfsd_readdir(struct svc_rqst *, struct svc_fh *,
> loff_t *, struct readdir_cd *, filldir_t);
> __be32 nfsd_statfs(struct svc_rqst *, struct svc_fh *,
> - struct kstatfs *);
> + struct kstatfs *, int access);
>
> int nfsd_notify_change(struct inode *, struct iattr *);
> __be32 nfsd_permission(struct svc_rqst *, struct svc_export *,
>
next prev parent reply other threads:[~2008-08-07 18:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-07 18:11 [PATCH] nfsd: permit unauthenticated stat of export root J. Bruce Fields
2008-08-07 18:23 ` Peter Staubach [this message]
2008-08-07 19:16 ` J. Bruce Fields
2008-08-07 19:39 ` Peter Staubach
2008-08-07 20:41 ` J. Bruce Fields
2008-08-08 20:21 ` J. Bruce Fields
2008-08-08 20:32 ` Peter Staubach
2008-08-08 20:39 ` J. Bruce Fields
2008-08-11 20:51 ` Peter Staubach
2008-08-11 21:26 ` J. Bruce Fields
2008-08-11 21:29 ` Peter Staubach
2008-08-11 22:11 ` J. Bruce Fields
2008-08-11 21:27 ` Peter Staubach
2008-08-11 21:38 ` Trond Myklebust
2008-08-12 15:43 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=489B3DAC.5060004@redhat.com \
--to=staubach@redhat.com \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.