Re: [PATCH] Do not bind to reserved ports registered in /etc/services

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chucklever@gmail.com>
Cc: Guillem Jover <gjover@sipwise.com>,
	libtirpc List <libtirpc-devel@lists.sourceforge.net>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Do not bind to reserved ports registered in /etc/services
Date: Thu, 8 Mar 2018 16:26:00 -0500	[thread overview]
Message-ID: <20180308212600.GB16485@fieldses.org> (raw)
In-Reply-To: <20180308202423.GA16485@fieldses.org>

On Thu, Mar 08, 2018 at 03:24:23PM -0500, bfields wrote:
> Looks like knfsd's not helpful here, though: the export option
> ("secure"/"insecure") defaults to "secure", which always requires a low
> port.  It should be easy to modify "secure" to mean "require low ports
> only for auth_sys/auth_null", and that's probably the right thing to do.

Disclaimer: totally untested.

--b.

commit ddc2a5f5ce98
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Thu Mar 8 15:49:48 2018 -0500

    nfsd: don't require low ports for gss requests
    
    In a traditional NFS deployment using auth_unix, the clients are trusted
    to correctly report the credentials of their logged-in users.  The
    server assumes that only root on client machines is allowed to send
    requests from low-numbered ports, so it can use the originating port
    number to distinguish "real" NFS clients from NFS clients run by
    ordinary users, to prevent ordinary users from spoofing credentials.
    
    The originating port number on a gss-authenticated request is less
    important.  The authentication ties the request to a user, and we take
    it as proof that that user authorized the request.  The low port number
    check no longer adds much.
    
    So, don't enforce low port numbers in the auth_gss case.
    
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 8aa011820c4a..764e6cae6533 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -87,13 +87,23 @@ nfsd_mode_check(struct svc_rqst *rqstp, struct dentry *dentry,
 	return nfserr_inval;
 }
 
+static bool nfsd_originating_port_ok(struct svc_rqst *rqstp, int flags)
+{
+	if (flags & NFSEXP_INSECURE_PORT)
+		return true;
+	/* We don't require gss requests to use low ports: */
+	if (rqstp->rq_cred.cr_flavor >= RPC_AUTH_GSS)
+		return true;
+	return test_bit(RQ_SECURE, &rqstp->rq_flags);
+}
+
 static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
 					  struct svc_export *exp)
 {
 	int flags = nfsexp_flags(rqstp, exp);
 
 	/* Check if the request originated from a secure port. */
-	if (!test_bit(RQ_SECURE, &rqstp->rq_flags) && !(flags & NFSEXP_INSECURE_PORT)) {
+	if (!nfsd_originating_port_ok(rqstp, flags)) {
 		RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]);
 		dprintk("nfsd: request from insecure port %s!\n",
 		        svc_print_addr(rqstp, buf, sizeof(buf)));

next prev parent reply	other threads:[~2018-03-08 21:26 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-10  0:49 [PATCH] Do not bind to reserved ports registered in /etc/services Guillem Jover
2018-01-11 15:18 ` Steve Dickson
2018-01-12 18:41   ` Guillem Jover
2018-01-12 19:12     ` [Libtirpc-devel] " Thorsten Kukuk
2018-01-12 19:19     ` Tom Talpey
2018-02-08 18:07       ` Chuck Lever
2018-02-08 18:36         ` Chuck Lever
2018-03-06 18:09           ` Chuck Lever
2018-03-08 20:24             ` J. Bruce Fields
2018-03-08 21:26               ` J. Bruce Fields [this message]
2018-03-08 21:28                 ` [Libtirpc-devel] " Chuck Lever
2018-03-08 21:35                   ` Bruce Fields
2018-01-11 15:50 ` Chuck Lever
2018-01-12 18:05   ` Guillem Jover
2018-01-12 19:12     ` Chuck Lever
2018-01-12 21:12       ` [Libtirpc-devel] " Thorsten Kukuk
2018-01-12 21:14         ` Chuck Lever
2018-01-12 21:30           ` Matt Benjamin
2018-01-12 22:08         ` Steve Dickson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8aa011820c4 dfblob:764e6cae653 )
 OR (
bs:"Re: [PATCH] Do not bind to reserved ports registered in /etc/services" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180308212600.GB16485@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=chucklever@gmail.com \
    --cc=gjover@sipwise.com \
    --cc=libtirpc-devel@lists.sourceforge.net \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).