From: Frank Sorenson <sorenson@redhat.com>
To: linux-nfs@vger.kernel.org
Subject: mountd does not check for membership of IP addresses in netgroups if the IP is resolvable
Date: Thu, 22 Oct 2015 16:58:24 -0400 (EDT) [thread overview]
Message-ID: <1686719493.36610358.1445547504794.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <1652759591.36606461.1445546958744.JavaMail.zimbra@redhat.com>
If a netgroup entry specifies an IP address, and that IP address
can be resolved to a name, the current match code in mountd only
tests whether the canonical name and any aliases are in the
netgroup, and does not test whether the IP address is in the netgroup.
(IP addresses which do not resolve to a name are already checked
for membership in the netgroup)
The following demonstrates this issue:
/etc/netgroup:
test_netgroup (127.0.0.1,-,-)
/etc/exports:
/data @test_netgroup(rw,sync)
# mkdir /data
# mkdir -p /mnt/test
# exportfs -a
# mount localhost:/data /mnt/test
assuming that there is a localhost entry in /etc/hosts, this will fail:
mount.nfs: access denied by server while mounting localhost:/data
The patch below adds the code to test for the IP addresses in
the netgroup, and the mount now succeeds.
Author: Frank Sorenson <sorenson@redhat.com>
Date: Thu Oct 22 15:38:17 2015 -0500
mountd: fix netgroup lookup for resolvable IP addresses
If a netgroup entry specifies an IP address, and that
IP address can be resolved to a name, mountd will
currently only test whether the canonical name and
any aliases are in the netgroup, and does not test
whether the IP address is in the netgroup (IP
addresses which do not resolve to a name are
already checked against the netgroup).
This patch adds the check to see whether the IP
addresses are in the netgroup.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
diff --git a/support/export/client.c b/support/export/client.c
index 95156f0..f6c58f2 100644
--- a/support/export/client.c
+++ b/support/export/client.c
@@ -686,6 +686,21 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai)
}
}
+ /* check whether the IP itself is in the netgroup */
+ for (tmp = ai ; tmp != NULL ; tmp = tmp->ai_next) {
+ free(hname);
+ hname = calloc(INET6_ADDRSTRLEN, 1);
+
+ if (inet_ntop(tmp->ai_family, &(((struct sockaddr_in *)tmp->ai_addr)->sin_addr), hname, INET6_ADDRSTRLEN) != hname) {
+ xlog(D_GENERAL, " %s: unable to inet_ntop addrinfo %p: %m", __func__, tmp, errno);
+ goto out;
+ }
+ if (innetgr(netgroup, hname, NULL, NULL)) {
+ match = 1;
+ goto out;
+ }
+ }
+
/* Okay, strip off the domain (if we have one) */
dot = strchr(hname, '.');
if (dot == NULL)
next parent reply other threads:[~2015-10-22 20:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1652759591.36606461.1445546958744.JavaMail.zimbra@redhat.com>
2015-10-22 20:58 ` Frank Sorenson [this message]
2015-11-04 21:50 ` mountd does not check for membership of IP addresses in netgroups if the IP is resolvable Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1686719493.36610358.1445547504794.JavaMail.zimbra@redhat.com \
--to=sorenson@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox