Re: mountd does not check for membership of IP addresses in netgroups if the IP is resolvable

[Steve Dickson <SteveD@redhat.com>]

On 10/22/2015 04:58 PM, Frank Sorenson wrote:
> 
> If a netgroup entry specifies an IP address, and that IP address
> can be resolved to a name, the current match code in mountd only
> tests whether the canonical name and any aliases are in the
> netgroup, and does not test whether the IP address is in the netgroup.
> 
> (IP addresses which do not resolve to a name are already checked
> for membership in the netgroup)
> 
> 
> The following demonstrates this issue:
> 
> /etc/netgroup:
> test_netgroup	(127.0.0.1,-,-)
> 
> /etc/exports:
> /data		@test_netgroup(rw,sync)
> 
> # mkdir /data
> # mkdir -p /mnt/test
> # exportfs -a
> # mount localhost:/data /mnt/test
> 
> assuming that there is a localhost entry in /etc/hosts, this will fail:
> mount.nfs: access denied by server while mounting localhost:/data
> 
> 
> The patch below adds the code to test for the IP addresses in
> the netgroup, and the mount now succeeds.
> 
> 
> 
> Author: Frank Sorenson <sorenson@redhat.com>
> Date:   Thu Oct 22 15:38:17 2015 -0500
> 
>     mountd: fix netgroup lookup for resolvable IP addresses
>     
>     If a netgroup entry specifies an IP address, and that
>     IP address can be resolved to a name, mountd will
>     currently only test whether the canonical name and
>     any aliases are in the netgroup, and does not test
>     whether the IP address is in the netgroup (IP
>     addresses which do not resolve to a name are
>     already checked against the netgroup).
>     
>     This patch adds the check to see whether the IP
>     addresses are in the netgroup.
>     
>     
>     Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Committed... 

steved.

> 
> diff --git a/support/export/client.c b/support/export/client.c
> index 95156f0..f6c58f2 100644
> --- a/support/export/client.c
> +++ b/support/export/client.c
> @@ -686,6 +686,21 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai)
>  		}
>  	}
>  
> +	/* check whether the IP itself is in the netgroup */
> +	for (tmp = ai ; tmp != NULL ; tmp = tmp->ai_next) {
> +		free(hname);
> +		hname = calloc(INET6_ADDRSTRLEN, 1);
> +
> +		if (inet_ntop(tmp->ai_family, &(((struct sockaddr_in *)tmp->ai_addr)->sin_addr), hname, INET6_ADDRSTRLEN) != hname) {
> +			xlog(D_GENERAL, "  %s: unable to inet_ntop addrinfo %p: %m", __func__, tmp, errno);
> +			goto out;
> +		}
> +		if (innetgr(netgroup, hname, NULL, NULL)) {
> +			match = 1;
> +			goto out;
> +		}
> +	}
> +
>  	/* Okay, strip off the domain (if we have one) */
>  	dot = strchr(hname, '.');
>  	if (dot == NULL)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>