[PATCH] mountd: Add a default flavor to an export's e_secinfo list

[PATCH] mountd: Add a default flavor to an export's e_secinfo list

[Chuck Lever]

The list of security flavors that mountd allows for the NFSv4
pseudo-fs is constructed from the union of flavors of all current
exports.

exports(5) documents that the default security flavor for an
export, if "sec=" is not specified, is "sys".  Suppose
/etc/exports contains:

/a	*(rw)
/b	*(rw,sec=krb5:krb5i:krb5p)

The resulting security flavor list for the pseudo-fs is missing
"sec=sys".  /proc/net/rpc/nfsd.export/content contains:

/a	*(rw,root_squash,sync,wdelay,no_subtree_check,
		uuid=095c95bc:08e4407a:91ab8601:05fe0bbf)
/b	*(rw,root_squash,sync,wdelay,no_subtree_check,
		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
		sec=390003:390004:390005)
/	*(ro,root_squash,sync,no_wdelay,v4root,fsid=0,
		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
		sec=390003:390004:390005)

The root entry is not correct, as there does exist an export whose
unspecified default security flavor is "sys".  The security settings
on the root cause sec=sys mount attempts to be incorrectly rejected.

The reason is that when the line in /etc/exports for "/a" is parsed,
the e_secinfo list for that exportent is left empty.  Thus the union
of e_secinfo lists created by set_pseudofs_security() is
"krb5:krb5i:krb5p".

I fixed this by ensuring that if no "sec=" option is specified for
an export, its e_secinfo list gets at least an entry for AUTH_UNIX.

[ Yes, we could make the security flavors allowed for the pseudo-fs
a fixed list of all flavors the server supports.  That becomes
complicated by the special meaning of AUTH_NULL, and we still have
to check /etc/exports for whether Kerberos flavors should be listed.
I opted for a simple approach for now. ]

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 support/nfs/exports.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index 84a2b08..6c08a2b 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -643,6 +643,8 @@ bad_option:
 			cp++;
 	}
 
+	if (ep->e_secinfo[0].flav == NULL)
+		secinfo_addflavor(find_flavor("sys"), ep);
 	fix_pseudoflavor_flags(ep);
 	ep->e_squids = squids;
 	ep->e_sqgids = sqgids;

Re: [PATCH] mountd: Add a default flavor to an export's e_secinfo list

[J. Bruce Fields]

On Wed, Mar 20, 2013 at 06:31:30PM -0400, Chuck Lever wrote:
> The list of security flavors that mountd allows for the NFSv4
> pseudo-fs is constructed from the union of flavors of all current
> exports.
> 
> exports(5) documents that the default security flavor for an
> export, if "sec=" is not specified, is "sys".  Suppose
> /etc/exports contains:
> 
> /a	*(rw)
> /b	*(rw,sec=krb5:krb5i:krb5p)
> 
> The resulting security flavor list for the pseudo-fs is missing
> "sec=sys".  /proc/net/rpc/nfsd.export/content contains:
> 
> /a	*(rw,root_squash,sync,wdelay,no_subtree_check,
> 		uuid=095c95bc:08e4407a:91ab8601:05fe0bbf)
> /b	*(rw,root_squash,sync,wdelay,no_subtree_check,
> 		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
> 		sec=390003:390004:390005)
> /	*(ro,root_squash,sync,no_wdelay,v4root,fsid=0,
> 		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
> 		sec=390003:390004:390005)
> 
> The root entry is not correct, as there does exist an export whose
> unspecified default security flavor is "sys".  The security settings
> on the root cause sec=sys mount attempts to be incorrectly rejected.
> 
> The reason is that when the line in /etc/exports for "/a" is parsed,
> the e_secinfo list for that exportent is left empty.  Thus the union
> of e_secinfo lists created by set_pseudofs_security() is
> "krb5:krb5i:krb5p".
> 
> I fixed this by ensuring that if no "sec=" option is specified for
> an export, its e_secinfo list gets at least an entry for AUTH_UNIX.
> 
> [ Yes, we could make the security flavors allowed for the pseudo-fs
> a fixed list of all flavors the server supports.  That becomes
> complicated by the special meaning of AUTH_NULL, and we still have
> to check /etc/exports for whether Kerberos flavors should be listed.
> I opted for a simple approach for now. ]
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Makes sense to me.--b.

> ---
> 
>  support/nfs/exports.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index 84a2b08..6c08a2b 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -643,6 +643,8 @@ bad_option:
>  			cp++;
>  	}
>  
> +	if (ep->e_secinfo[0].flav == NULL)
> +		secinfo_addflavor(find_flavor("sys"), ep);
>  	fix_pseudoflavor_flags(ep);
>  	ep->e_squids = squids;
>  	ep->e_sqgids = sqgids;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] mountd: Add a default flavor to an export's e_secinfo list

[Steve Dickson]

On 20/03/13 18:31, Chuck Lever wrote:
> The list of security flavors that mountd allows for the NFSv4
> pseudo-fs is constructed from the union of flavors of all current
> exports.
> 
> exports(5) documents that the default security flavor for an
> export, if "sec=" is not specified, is "sys".  Suppose
> /etc/exports contains:
> 
> /a	*(rw)
> /b	*(rw,sec=krb5:krb5i:krb5p)
> 
> The resulting security flavor list for the pseudo-fs is missing
> "sec=sys".  /proc/net/rpc/nfsd.export/content contains:
> 
> /a	*(rw,root_squash,sync,wdelay,no_subtree_check,
> 		uuid=095c95bc:08e4407a:91ab8601:05fe0bbf)
> /b	*(rw,root_squash,sync,wdelay,no_subtree_check,
> 		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
> 		sec=390003:390004:390005)
> /	*(ro,root_squash,sync,no_wdelay,v4root,fsid=0,
> 		uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
> 		sec=390003:390004:390005)
> 
> The root entry is not correct, as there does exist an export whose
> unspecified default security flavor is "sys".  The security settings
> on the root cause sec=sys mount attempts to be incorrectly rejected.
> 
> The reason is that when the line in /etc/exports for "/a" is parsed,
> the e_secinfo list for that exportent is left empty.  Thus the union
> of e_secinfo lists created by set_pseudofs_security() is
> "krb5:krb5i:krb5p".
> 
> I fixed this by ensuring that if no "sec=" option is specified for
> an export, its e_secinfo list gets at least an entry for AUTH_UNIX.
> 
> [ Yes, we could make the security flavors allowed for the pseudo-fs
> a fixed list of all flavors the server supports.  That becomes
> complicated by the special meaning of AUTH_NULL, and we still have
> to check /etc/exports for whether Kerberos flavors should be listed.
> I opted for a simple approach for now. ]
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Committed...

steved.
> ---
> 
>  support/nfs/exports.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index 84a2b08..6c08a2b 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -643,6 +643,8 @@ bad_option:
>  			cp++;
>  	}
>  
> +	if (ep->e_secinfo[0].flav == NULL)
> +		secinfo_addflavor(find_flavor("sys"), ep);
>  	fix_pseudoflavor_flags(ep);
>  	ep->e_squids = squids;
>  	ep->e_sqgids = sqgids;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>