From: "J. Bruce Fields" <bfields@fieldses.org>
To: linux-nfs@vger.kernel.org
Subject: [PATCH] nfsd: allow secinfo to bypass gss checks
Date: Thu, 30 Jun 2011 14:47:04 -0400 [thread overview]
Message-ID: <20110630184704.GD18713@fieldses.org> (raw)
Also planning to queue this up for 3.1.... Objections?
commit ea53eb9a87848610f1a2465881d8ef6ab6c62c59
Author: J. Bruce Fields <bfields@redhat.com>
Date: Wed Jun 29 18:33:11 2011 -0400
nfsd: allow secinfo to bypass gss checks
PUTFH+SECINFO should succeed and return a security list even when using
an authentication flavor not permitted on the given filehandle.
There's the risk of a small information leak here: as part of the
SECINFO, we have to do a lookup. If that lookup fails, we return the
error from that lookup instead of a secinfo list. That allows an
unprivileged user to answer the question "does a file named $x exist in
directory $d" by guessing a filehandle for $d and then sending a secinfo
request for $x and seeing whether or not they get NFS4ERR_NOENT.
To avoid that, we return secinfo for the parent in the NOENT case.
Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 96b6929..4f9c90b 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -762,19 +762,34 @@ nfsd4_secinfo(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
__be32 err;
fh_init(&resfh, NFS4_FHSIZE);
- err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR, NFSD_MAY_EXEC);
+ err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR,
+ NFSD_MAY_EXEC|NFSD_MAY_BYPASS_GSS);
if (err)
return err;
+ /*
+ * XXX: arguably we should do this with elevated privileges, to
+ * ensure consistent results regardless of the cred used by the
+ * client:
+ */
err = nfsd_lookup_dentry(rqstp, &cstate->current_fh,
secinfo->si_name, secinfo->si_namelen,
&exp, &dentry);
if (err)
return err;
if (dentry->d_inode == NULL) {
+ /*
+ * An nfserr_noent return would tell the rpc caller
+ * (who may be unprivileged) that a file by that name
+ * does not exist in this directory. That may be
+ * information we don't want to give out. So return
+ * secinfo list for the parent in that case instead of
+ * failing here.
+ */
exp_put(exp);
- err = nfserr_noent;
- } else
- secinfo->si_exp = exp;
+ exp = cstate->current_fh.fh_export;
+ exp_get(exp);
+ }
+ secinfo->si_exp = exp;
dput(dentry);
if (cstate->minorversion)
/* See rfc 5661 section 2.6.3.1.1.8 */
reply other threads:[~2011-06-30 18:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110630184704.GD18713@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).