* [PATCH 1/2] mountd: allow high ports on all pseudofs exports @ 2020-12-02 22:56 J. Bruce Fields 2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields 2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields 0 siblings, 2 replies; 8+ messages in thread From: J. Bruce Fields @ 2020-12-02 22:56 UTC (permalink / raw) To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields From: "J. Bruce Fields" <bfields@redhat.com> We originally tried to grant permissions on the v4 pseudoroot filesystem that were the absolute minimum required for a client to reach a given export. This turns out to be complicated, and we've never gotten it quite right. Also, the tradition from the MNT protocol was to allow anyone to browse the list of exports. So, do as we already did with security flavors and just allow clients from high ports to access the whole pseudofilesystem. Signed-off-by: J. Bruce Fields <bfields@redhat.com> --- utils/mountd/v4root.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index a9ea167a07e0..2ac4e87898c0 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -36,7 +36,7 @@ static nfs_export pseudo_root = { .e_path = "/", .e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH | NFSEXP_NOSUBTREECHECK | NFSEXP_FSID - | NFSEXP_V4ROOT, + | NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT, .e_anonuid = 65534, .e_anongid = 65534, .e_squids = NULL, @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int flags) struct flav_info *flav; int i; - if (flags & NFSEXP_INSECURE_PORT) - pseudo->e_flags |= NFSEXP_INSECURE_PORT; if ((flags & NFSEXP_ROOTSQUASH) == 0) pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { @@ -70,8 +68,7 @@ set_pseudofs_security(struct exportent *pseudo, int flags) i = secinfo_addflavor(flav, pseudo); new = &pseudo->e_secinfo[i]; - if (flags & NFSEXP_INSECURE_PORT) - new->flags |= NFSEXP_INSECURE_PORT; + new->flags |= NFSEXP_INSECURE_PORT; } } -- 2.28.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] mountd: always root squash on the pseudofs 2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields @ 2020-12-02 22:56 ` J. Bruce Fields 2020-12-03 0:54 ` Trond Myklebust 2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields 1 sibling, 1 reply; 8+ messages in thread From: J. Bruce Fields @ 2020-12-02 22:56 UTC (permalink / raw) To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields From: "J. Bruce Fields" <bfields@redhat.com> As with security flavors and "secure" ports, we tried to code this so that pseudofs directories would inherit root squashing from their children, but it doesn't really work as coded and I'm not sure it's useful. Just root squash always. If it turns out somebody's exporting directories that are only readable by root, I guess we can try to do something else here, but frankly that sounds like a pretty weird configuration. Signed-off-by: J. Bruce Fields <bfields@redhat.com> --- utils/mountd/v4root.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index 2ac4e87898c0..36543401f296 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int flags) struct flav_info *flav; int i; - if ((flags & NFSEXP_ROOTSQUASH) == 0) - pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { struct sec_entry *new; -- 2.28.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mountd: always root squash on the pseudofs 2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields @ 2020-12-03 0:54 ` Trond Myklebust 2020-12-03 1:05 ` J. Bruce Fields 0 siblings, 1 reply; 8+ messages in thread From: Trond Myklebust @ 2020-12-03 0:54 UTC (permalink / raw) To: bfields@fieldses.org, steved@redhat.com Cc: linux-nfs@vger.kernel.org, bfields@redhat.com On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote: > From: "J. Bruce Fields" <bfields@redhat.com> > > As with security flavors and "secure" ports, we tried to code this so > that pseudofs directories would inherit root squashing from their > children, but it doesn't really work as coded and I'm not sure it's > useful. > > Just root squash always. If it turns out somebody's exporting > directories that are only readable by root, I guess we can try to do > something else here, but frankly that sounds like a pretty weird > configuration. > > Signed-off-by: J. Bruce Fields <bfields@redhat.com> > --- > utils/mountd/v4root.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c > index 2ac4e87898c0..36543401f296 100644 > --- a/utils/mountd/v4root.c > +++ b/utils/mountd/v4root.c > @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int > flags) > struct flav_info *flav; > int i; > > - if ((flags & NFSEXP_ROOTSQUASH) == 0) > - pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; > for (flav = flav_map; flav < flav_map + flav_map_size; > flav++) { > struct sec_entry *new; > Hmm... What is the harm in allowing root to be unsquashed here? Isn't this really all about respecting lookup permissions, or could a user actually modify something in the pseudofs? If the latter, then that sounds like a bug (the pseudofs should always be read-only). The consequence of not being able to look up a directory in the pseudofs is that the NFSv4 client will be completely unable to mount that subtree, so squashing root could make a major difference. -- Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust@hammerspace.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mountd: always root squash on the pseudofs 2020-12-03 0:54 ` Trond Myklebust @ 2020-12-03 1:05 ` J. Bruce Fields 2020-12-03 1:14 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields 0 siblings, 1 reply; 8+ messages in thread From: J. Bruce Fields @ 2020-12-03 1:05 UTC (permalink / raw) To: Trond Myklebust Cc: bfields@fieldses.org, steved@redhat.com, linux-nfs@vger.kernel.org On Thu, Dec 03, 2020 at 12:54:53AM +0000, Trond Myklebust wrote: > On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote: > > From: "J. Bruce Fields" <bfields@redhat.com> > > > > As with security flavors and "secure" ports, we tried to code this so > > that pseudofs directories would inherit root squashing from their > > children, but it doesn't really work as coded and I'm not sure it's > > useful. > > > > Just root squash always. If it turns out somebody's exporting > > directories that are only readable by root, I guess we can try to do > > something else here, but frankly that sounds like a pretty weird > > configuration. > > > > Signed-off-by: J. Bruce Fields <bfields@redhat.com> > > --- > > utils/mountd/v4root.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c > > index 2ac4e87898c0..36543401f296 100644 > > --- a/utils/mountd/v4root.c > > +++ b/utils/mountd/v4root.c > > @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int > > flags) > > struct flav_info *flav; > > int i; > > > > - if ((flags & NFSEXP_ROOTSQUASH) == 0) > > - pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; > > for (flav = flav_map; flav < flav_map + flav_map_size; > > flav++) { > > struct sec_entry *new; > > > > Hmm... What is the harm in allowing root to be unsquashed here? Isn't > this really all about respecting lookup permissions, or could a user > actually modify something in the pseudofs? If the latter, then that > sounds like a bug (the pseudofs should always be read-only). Yeah, it should only be read-only. > The consequence of not being able to look up a directory in the > pseudofs is that the NFSv4 client will be completely unable to mount > that subtree, so squashing root could make a major difference. Fair enough, I'll resend. --b. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] mountd: allow high ports on all pseudofs exports 2020-12-03 1:05 ` J. Bruce Fields @ 2020-12-03 1:14 ` bfields 2020-12-03 1:14 ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields 0 siblings, 1 reply; 8+ messages in thread From: bfields @ 2020-12-03 1:14 UTC (permalink / raw) To: Steve Dickson; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields From: "J. Bruce Fields" <bfields@redhat.com> We originally tried to grant permissions on the v4 pseudoroot filesystem that were the absolute minimum required for a client to reach a given export. This turns out to be complicated, and we've never gotten it quite right. Also, the tradition from the MNT protocol was to allow anyone to browse the list of exports. So, do as we already did with security flavors and just allow clients from high ports to access the whole pseudofilesystem. Signed-off-by: J. Bruce Fields <bfields@redhat.com> --- utils/mountd/v4root.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index a9ea167a07e0..39dd87a94e59 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -36,7 +36,7 @@ static nfs_export pseudo_root = { .e_path = "/", .e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH | NFSEXP_NOSUBTREECHECK | NFSEXP_FSID - | NFSEXP_V4ROOT, + | NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT, .e_anonuid = 65534, .e_anongid = 65534, .e_squids = NULL, @@ -55,13 +55,11 @@ static nfs_export pseudo_root = { }; static void -set_pseudofs_security(struct exportent *pseudo, int flags) +set_pseudofs_security(struct exportent *pseudo) { struct flav_info *flav; int i; - if (flags & NFSEXP_INSECURE_PORT) - pseudo->e_flags |= NFSEXP_INSECURE_PORT; if ((flags & NFSEXP_ROOTSQUASH) == 0) pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { @@ -70,8 +68,7 @@ set_pseudofs_security(struct exportent *pseudo, int flags) i = secinfo_addflavor(flav, pseudo); new = &pseudo->e_secinfo[i]; - if (flags & NFSEXP_INSECURE_PORT) - new->flags |= NFSEXP_INSECURE_PORT; + new->flags |= NFSEXP_INSECURE_PORT; } } @@ -90,7 +87,7 @@ v4root_create(char *path, nfs_export *export) strncpy(eep.e_path, path, sizeof(eep.e_path)-1); if (strcmp(path, "/") != 0) eep.e_flags &= ~NFSEXP_FSID; - set_pseudofs_security(&eep, curexp->e_flags); + set_pseudofs_security(&eep); exp = export_create(&eep, 0); if (exp == NULL) return NULL; @@ -138,7 +135,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source) return 0; } /* Update an existing V4ROOT export: */ - set_pseudofs_security(&exp->m_export, source->m_export.e_flags); + set_pseudofs_security(&exp->m_export); return 0; } -- 2.28.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] mountd: never root squash on the pseudofs 2020-12-03 1:14 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields @ 2020-12-03 1:14 ` bfields 2020-12-26 19:32 ` Steve Dickson 0 siblings, 1 reply; 8+ messages in thread From: bfields @ 2020-12-03 1:14 UTC (permalink / raw) To: Steve Dickson; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields From: "J. Bruce Fields" <bfields@redhat.com> As with security flavors and "secure" ports, we tried to code this so that pseudofs directories would inherit root squashing from their children, but it doesn't really work as coded and I'm not sure it's useful. Let's just not root squash. The risk is pretty low since the pseudofs is readonly, and we'd rather not risk failing a mount unnecessarily. Signed-off-by: J. Bruce Fields <bfields@redhat.com> --- utils/mountd/v4root.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index 39dd87a94e59..c42ba72380ea 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -34,7 +34,7 @@ static nfs_export pseudo_root = { .m_export = { .e_hostname = "*", .e_path = "/", - .e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH + .e_flags = NFSEXP_READONLY | NFSEXP_NOSUBTREECHECK | NFSEXP_FSID | NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT, .e_anonuid = 65534, @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo) struct flav_info *flav; int i; - if ((flags & NFSEXP_ROOTSQUASH) == 0) - pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { struct sec_entry *new; -- 2.28.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] mountd: never root squash on the pseudofs 2020-12-03 1:14 ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields @ 2020-12-26 19:32 ` Steve Dickson 0 siblings, 0 replies; 8+ messages in thread From: Steve Dickson @ 2020-12-26 19:32 UTC (permalink / raw) To: bfields; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields On 12/2/20 8:14 PM, bfields@fieldses.org wrote: > From: "J. Bruce Fields" <bfields@redhat.com> > > As with security flavors and "secure" ports, we tried to code this so > that pseudofs directories would inherit root squashing from their > children, but it doesn't really work as coded and I'm not sure it's > useful. > > Let's just not root squash. The risk is pretty low since the pseudofs > is readonly, and we'd rather not risk failing a mount unnecessarily. > > Signed-off-by: J. Bruce Fields <bfields@redhat.com> My apologies for taking so long to get to this... I lost it in the weeds ;-) Both patches Committed! steved. > --- > utils/mountd/v4root.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c > index 39dd87a94e59..c42ba72380ea 100644 > --- a/utils/mountd/v4root.c > +++ b/utils/mountd/v4root.c > @@ -34,7 +34,7 @@ static nfs_export pseudo_root = { > .m_export = { > .e_hostname = "*", > .e_path = "/", > - .e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH > + .e_flags = NFSEXP_READONLY > | NFSEXP_NOSUBTREECHECK | NFSEXP_FSID > | NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT, > .e_anonuid = 65534, > @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo) > struct flav_info *flav; > int i; > > - if ((flags & NFSEXP_ROOTSQUASH) == 0) > - pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; > for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { > struct sec_entry *new; > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] mountd: allow high ports on all pseudofs exports 2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields 2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields @ 2020-12-02 23:03 ` J. Bruce Fields 1 sibling, 0 replies; 8+ messages in thread From: J. Bruce Fields @ 2020-12-02 23:03 UTC (permalink / raw) To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields On Wed, Dec 02, 2020 at 05:56:43PM -0500, J. Bruce Fields wrote: > From: "J. Bruce Fields" <bfields@redhat.com> > > We originally tried to grant permissions on the v4 pseudoroot filesystem > that were the absolute minimum required for a client to reach a given > export. This turns out to be complicated, and we've never gotten it > quite right. Also, the tradition from the MNT protocol was to allow > anyone to browse the list of exports. > > So, do as we already did with security flavors and just allow clients > from high ports to access the whole pseudofilesystem. Oh, except then we may as well also remove this "flags" parameter. --b. diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index 36543401f296..f6eb126660f3 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -55,7 +55,7 @@ static nfs_export pseudo_root = { }; static void -set_pseudofs_security(struct exportent *pseudo, int flags) +set_pseudofs_security(struct exportent *pseudo) { struct flav_info *flav; int i; @@ -85,7 +85,7 @@ v4root_create(char *path, nfs_export *export) strncpy(eep.e_path, path, sizeof(eep.e_path)-1); if (strcmp(path, "/") != 0) eep.e_flags &= ~NFSEXP_FSID; - set_pseudofs_security(&eep, curexp->e_flags); + set_pseudofs_security(&eep); exp = export_create(&eep, 0); if (exp == NULL) return NULL; @@ -133,7 +133,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source) return 0; } /* Update an existing V4ROOT export: */ - set_pseudofs_security(&exp->m_export, source->m_export.e_flags); + set_pseudofs_security(&exp->m_export); return 0; } ^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-12-26 19:33 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields 2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields 2020-12-03 0:54 ` Trond Myklebust 2020-12-03 1:05 ` J. Bruce Fields 2020-12-03 1:14 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields 2020-12-03 1:14 ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields 2020-12-26 19:32 ` Steve Dickson 2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).