From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 06/10] lockd: Add helper to sanity check incoming NOTIFY requests
Date: Wed, 1 Oct 2008 14:05:32 -0400 [thread overview]
Message-ID: <20081001180532.GE6001@fieldses.org> (raw)
In-Reply-To: <3DC9A32F-878A-4BA5-A1E5-7EDE6D1083EF@oracle.com>
On Wed, Oct 01, 2008 at 12:01:30PM -0400, Chuck Lever wrote:
> On Sep 26, 2008, at Sep 26, 2008, 6:43 PM, J. Bruce Fields wrote:
>> On Wed, Sep 17, 2008 at 11:17:57AM -0500, Chuck Lever wrote:
>>> The NLM performs a silly test to see that incoming NOTIFY requests
>>> are
>>> relatively secure. Make sure the test works for both AF_INET and
>>> AF_INET6
>>> addresses.
>>
>> Makes sense. (Why's the test silly? If it prevents local users from
>> telling lockd to drop a client's locks, that seems good.)
>
> I was referring to the port range part of the test. Anyone who wants
> real security will not rely on the port value, but will use SSL or
> third-party authentication like Kerberos.
Over the loopback interface?
This is a local call--if the kernel needs kerberos to decide whether a
local process is privileged, something's wrong.
--b.
>
>>
>>
>> --b.
>>
>>>
>>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>>> ---
>>>
>>> fs/lockd/svc4proc.c | 6 ++----
>>> fs/lockd/svcproc.c | 6 ++----
>>> include/linux/lockd/lockd.h | 41 +++++++++++++++++++++++++++++++++
>>> ++++++++
>>> 3 files changed, 45 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/fs/lockd/svc4proc.c b/fs/lockd/svc4proc.c
>>> index 9e1c751..6a5ef9f 100644
>>> --- a/fs/lockd/svc4proc.c
>>> +++ b/fs/lockd/svc4proc.c
>>> @@ -432,11 +432,9 @@ nlm4svc_proc_sm_notify(struct svc_rqst *rqstp,
>>> struct nlm_reboot *argp,
>>> {
>>> struct sockaddr_in saddr;
>>>
>>> - memcpy(&saddr, svc_addr_in(rqstp), sizeof(saddr));
>>> -
>>> dprintk("lockd: SM_NOTIFY called\n");
>>> - if (saddr.sin_addr.s_addr != htonl(INADDR_LOOPBACK)
>>> - || ntohs(saddr.sin_port) >= 1024) {
>>> +
>>> + if (!nlm_privileged_requester(rqstp)) {
>>> char buf[RPC_MAX_ADDRBUFLEN];
>>> printk(KERN_WARNING "lockd: rejected NSM callback from %s\n",
>>> svc_print_addr(rqstp, buf, sizeof(buf)));
>>> diff --git a/fs/lockd/svcproc.c b/fs/lockd/svcproc.c
>>> index fcb7998..62fcfdb 100644
>>> --- a/fs/lockd/svcproc.c
>>> +++ b/fs/lockd/svcproc.c
>>> @@ -464,11 +464,9 @@ nlmsvc_proc_sm_notify(struct svc_rqst *rqstp,
>>> struct nlm_reboot *argp,
>>> {
>>> struct sockaddr_in saddr;
>>>
>>> - memcpy(&saddr, svc_addr_in(rqstp), sizeof(saddr));
>>> -
>>> dprintk("lockd: SM_NOTIFY called\n");
>>> - if (saddr.sin_addr.s_addr != htonl(INADDR_LOOPBACK)
>>> - || ntohs(saddr.sin_port) >= 1024) {
>>> +
>>> + if (!nlm_privileged_requester(rqstp)) {
>>> char buf[RPC_MAX_ADDRBUFLEN];
>>> printk(KERN_WARNING "lockd: rejected NSM callback from %s\n",
>>> svc_print_addr(rqstp, buf, sizeof(buf)));
>>> diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/
>>> lockd.h
>>> index 075095f..409eab4 100644
>>> --- a/include/linux/lockd/lockd.h
>>> +++ b/include/linux/lockd/lockd.h
>>> @@ -280,6 +280,47 @@ static inline struct inode
>>> *nlmsvc_file_inode(struct nlm_file *file)
>>> return file->f_file->f_path.dentry->d_inode;
>>> }
>>>
>>> +static inline int __nlm_privileged_request4(const struct sockaddr
>>> *sap)
>>> +{
>>> + const struct sockaddr_in *sin = (struct sockaddr_in *)sap;
>>> + return (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) &&
>>> + (ntohs(sin->sin_port) < 1024);
>>> +}
>>> +
>>> +#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
>>> +static inline int __nlm_privileged_request6(const struct sockaddr
>>> *sap)
>>> +{
>>> + const struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sap;
>>> + return (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LOOPBACK) &&
>>> + (ntohs(sin6->sin6_port) < 1024);
>>> +}
>>> +#else /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
>>> +static inline int __nlm_privileged_request6(const struct sockaddr
>>> *sap)
>>> +{
>>> + return 0;
>>> +}
>>> +#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
>>> +
>>> +/*
>>> + * Ensure incoming requests are suitably "secure"
>>> + *
>>> + * Return TRUE if sender is local and is connecting via a
>>> privileged port;
>>> + * otherwise return FALSE.
>>> + */
>>> +static inline int nlm_privileged_requester(const struct svc_rqst
>>> *rqstp)
>>> +{
>>> + const struct sockaddr *sap = svc_addr(rqstp);
>>> +
>>> + switch (sap->sa_family) {
>>> + case AF_INET:
>>> + return __nlm_privileged_request4(sap);
>>> + case AF_INET6:
>>> + return __nlm_privileged_request6(sap);
>>> + default:
>>> + return 0;
>>> + }
>>> +}
>>> +
>>> static inline int __nlm_cmp_addr4(const struct sockaddr *sap1,
>>> const struct sockaddr *sap2)
>>> {
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
>
next prev parent reply other threads:[~2008-10-01 18:05 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-17 16:17 [PATCH 00/10] Next series of IPv6 patches for lockd Chuck Lever
[not found] ` <20080917161337.4963.74674.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-17 16:17 ` [PATCH 01/10] lockd: Support non-AF_INET addresses in nlm_lookup_host() Chuck Lever
[not found] ` <20080917161720.4963.42788.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 21:53 ` J. Bruce Fields
2008-10-01 15:50 ` Chuck Lever
2008-10-01 18:21 ` J. Bruce Fields
2008-09-17 16:17 ` [PATCH 02/10] lockd: Adjust nlmclnt_lookup_host() signature to accomodate non-AF_INET Chuck Lever
[not found] ` <20080917161728.4963.48337.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:02 ` J. Bruce Fields
2008-10-01 15:52 ` Chuck Lever
2008-10-01 18:23 ` J. Bruce Fields
2008-09-17 16:17 ` [PATCH 03/10] lockd: Adjust nlmsvc_lookup_host() to accomodate AF_INET6 addresses Chuck Lever
[not found] ` <20080917161735.4963.86248.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:19 ` J. Bruce Fields
2008-10-01 15:59 ` Chuck Lever
2008-10-01 18:00 ` J. Bruce Fields
2008-09-17 16:17 ` [PATCH 04/10] lockd: change nlmclnt_grant() to take a "struct sockaddr *" Chuck Lever
[not found] ` <20080917161742.4963.24984.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:21 ` J. Bruce Fields
2008-09-17 16:17 ` [PATCH 05/10] lockd: Adjust signature of nlm_host_rebooted to handle non-AF_INET Chuck Lever
[not found] ` <20080917161749.4963.84067.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:27 ` J. Bruce Fields
2008-09-17 16:17 ` [PATCH 06/10] lockd: Add helper to sanity check incoming NOTIFY requests Chuck Lever
[not found] ` <20080917161757.4963.82230.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:43 ` J. Bruce Fields
2008-10-01 16:01 ` Chuck Lever
2008-10-01 18:05 ` J. Bruce Fields [this message]
2008-09-17 16:18 ` [PATCH 07/10] lockd: Remove unused fields in the nlm_reboot structure Chuck Lever
[not found] ` <20080917161804.4963.71981.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 22:53 ` J. Bruce Fields
2008-09-26 23:07 ` J. Bruce Fields
2008-09-17 16:18 ` [PATCH 08/10] lockd: struct nlm_reboot should contain a full socket address Chuck Lever
[not found] ` <20080917161811.4963.60224.stgit-ewv44WTpT0t9HhUboXbp9zCvJB+x5qRC@public.gmane.org>
2008-09-26 23:09 ` J. Bruce Fields
2008-10-01 16:17 ` Chuck Lever
2008-10-01 18:18 ` J. Bruce Fields
2008-10-01 19:40 ` Chuck Lever
2008-10-01 20:08 ` J. Bruce Fields
2008-10-01 20:33 ` J. Bruce Fields
2008-10-01 20:48 ` Chuck Lever
2008-10-01 20:55 ` J. Bruce Fields
2008-10-01 21:16 ` Chuck Lever
2008-10-01 21:30 ` J. Bruce Fields
2008-10-01 20:42 ` Chuck Lever
2008-10-01 20:51 ` J. Bruce Fields
2008-10-01 20:52 ` J. Bruce Fields
2008-09-17 16:18 ` [PATCH 09/10] lockd: IPv6 support for SM_MON / SM_UNMON Chuck Lever
2008-09-17 16:18 ` [PATCH 10/10] lockd: Use "unsigned short" for lockd_up() "proto" argument Chuck Lever
2008-09-26 23:21 ` [PATCH 00/10] Next series of IPv6 patches for lockd J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081001180532.GE6001@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox