Re: [PATCH] nfsd: permit unauthenticated stat of export root

["J. Bruce Fields" <bfields@fieldses.org>]

On Thu, Aug 07, 2008 at 03:39:45PM -0400, Peter Staubach wrote:
> J. Bruce Fields wrote:
>> On Thu, Aug 07, 2008 at 02:23:40PM -0400, Peter Staubach wrote:
>>   
>>> J. Bruce Fields wrote:
>>>     
>>>> From: J. Bruce Fields <bfields@citi.umich.edu>
>>>>
>>>> RFC 2623 section 2.3.2 permits the server to bypass gss authentication
>>>> checks for certain operations that a client may perform when mounting.
>>>> In the case of a client that doesn't have some form of credentials
>>>> available to it on boot, this allows it to perform the mount unattended.
>>>> (Presumably real file access won't be needed until a user with
>>>> credentials logs in.)
>>>>
>>>> Being slightly more lenient allows lots of old clients to access
>>>> krb5-only exports, with the only loss being a small amount of
>>>> information leaked about the root directory of the export.
>>>>
>>>> This affects on v2 and v3; v4 still requires authentication for all
>>>> access.
>>>>
>>>> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
>>>> ---
>>>>  fs/nfsd/nfs3proc.c        |    5 +++--
>>>>  fs/nfsd/nfsfh.c           |   30 ++++++++++++++++++++----------
>>>>  fs/nfsd/nfsproc.c         |    6 ++++--
>>>>  fs/nfsd/vfs.c             |    4 ++--
>>>>  include/linux/nfsd/nfsd.h |    3 ++-
>>>>  5 files changed, 31 insertions(+), 17 deletions(-)
>>>>
>>>> I intend to submit this for 2.6.28
>>>>
>>>> diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c
>>>> index 4d617ea..1419142 100644
>>>> --- a/fs/nfsd/nfs3proc.c
>>>> +++ b/fs/nfsd/nfs3proc.c
>>>> @@ -530,7 +530,7 @@ nfsd3_proc_fsstat(struct svc_rqst * rqstp, struct nfsd_fhandle    *argp,
>>>>  	dprintk("nfsd: FSSTAT(3)   %s\n",
>>>>  				SVCFH_fmt(&argp->fh));
>>>>  -	nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats);
>>>> +	nfserr = nfsd_statfs(rqstp, &argp->fh, &resp->stats, 0);
>>>>  	fh_put(&argp->fh);
>>>>  	RETURN_STATUS(nfserr);
>>>>  }
>>>> @@ -558,7 +558,8 @@ nfsd3_proc_fsinfo(struct svc_rqst * rqstp, struct nfsd_fhandle    *argp,
>>>>  	resp->f_maxfilesize = ~(u32) 0;
>>>>  	resp->f_properties = NFS3_FSF_DEFAULT;
>>>>  -	nfserr = fh_verify(rqstp, &argp->fh, 0, NFSD_MAY_NOP);
>>>> +	nfserr = fh_verify(rqstp, &argp->fh, 0,
>>>> +			NFSD_MAY_NOP | NFSD_MAY_BYPASS_GSS_ON_ROOT);
>>>>   	/* Check special features of the file system. May request
>>>>  	 * different read/write sizes for file systems known to have
>>>>         
>>> I would think that you might want to have nfsd3_proc_getattr()
>>> in this list too.  Some clients may need to generate a GETATTR
>>> if they need the attributes for the root node.
>>>     
>>
>> Do you know of any? rfc 2623 makes it sound like those clients are out
>> of luck.  And testing confirms that this patch is sufficient for the
>> linux client, at least.
>
> I believe that the Solaris client may.  I think that it may
> use the attributes returned from the FSINFO call, if there
> are any, to prevent the additional GETATTR, but this should
> be tested.  It might also be interesting to test out a
> readonly failover mount on the Solaris client to see what
> behavior that that exhibits.

OK, could be.  Volunteers to test that welcomed--for now I think I'll
stick to the list in the RFC.

--b.