[PATCH 019 of 20] knfsd: nfsd: allow auth_sys nlm on rpcsec_gss exports

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@citi.umich.edu>
Cc: J "." Bruce Fields <bfields@citi.umich.edu>
Cc: Neil Brown <neilb@suse.de>
Subject: [PATCH 019 of 20] knfsd: nfsd: allow auth_sys nlm on rpcsec_gss exports
Date: Tue, 10 Jul 2007 12:28:16 +1000	[thread overview]
Message-ID: <1070710022816.13624@suse.de> (raw)
In-Reply-To: 20070710121949.12548.patches@notabene

From: J. Bruce Fields <bfields@citi.umich.edu>

Our clients (like other clients, as far as I know) use only auth_sys for
nlm, even when using rpcsec_gss for the main nfs operations.

Administrators that want to deny non-kerberos-authenticated locking
requests will need to turn off NFS protocol versions less than 4....

Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>

### Diffstat output
 ./fs/nfsd/nfsfh.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff .prev/fs/nfsd/nfsfh.c ./fs/nfsd/nfsfh.c
--- .prev/fs/nfsd/nfsfh.c	2007-07-10 12:18:34.000000000 +1000
+++ ./fs/nfsd/nfsfh.c	2007-07-10 12:19:36.000000000 +1000
@@ -249,10 +249,16 @@ fh_verify(struct svc_rqst *rqstp, struct
 	if (error)
 		goto out;

-	/* Check security flavor */
-	error = check_nfsd_access(exp, rqstp);
-	if (error)
-		goto out;
+	if (!(access & MAY_LOCK)) {
+		/*
+		 * pseudoflavor restrictions are not enforced on NLM,
+		 * which clients virtually always use auth_sys for,
+		 * even while using RPCSEC_GSS for NFS.
+		 */
+		error = check_nfsd_access(exp, rqstp);
+		if (error)
+			goto out;
+	}

 	/* Finally, check access permissions. */
 	error = nfsd_permission(rqstp, exp, dentry, access);

next prev parent reply	other threads:[~2007-07-10  2:30 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-10  2:22 [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups NeilBrown
2007-07-10  2:22 ` [PATCH 001 of 20] knfsd: nfsd: make all exp_finding functions return -errno's on err NeilBrown
2007-07-10  2:23 ` [PATCH 002 of 20] knfsd: nfsd4: build rpcsec_gss whenever nfsd4 is built NeilBrown
2007-07-10  2:23 ` [PATCH 003 of 20] knfsd: nfsd4: store pseudoflavor in request NeilBrown
2007-07-10  2:23 ` [PATCH 004 of 20] knfsd: nfsd4: parse secinfo information in exports downcall NeilBrown
2007-07-10  2:24 ` [PATCH 005 of 20] knfsd: nfsd4: simplify exp_pseudoroot arguments NeilBrown
2007-07-10  2:24 ` [PATCH 006 of 20] knfsd: nfsd: remove superfluous assignment from nfsd_lookup NeilBrown
2007-07-10  2:24 ` [PATCH 007 of 20] knfsd: nfsd: provide export lookup wrappers which take a svc_rqst NeilBrown
2007-07-10  2:24 ` [PATCH 008 of 20] knfsd: nfsd: set rq_client to ip-address-determined-domain NeilBrown
2007-07-10  2:25 ` [PATCH 009 of 20] knfsd: nfsd: use ip-address-based domain in secinfo case NeilBrown
2007-07-10 16:06   ` J. Bruce Fields
2007-07-10  2:25 ` [PATCH 010 of 20] knfsd: nfsd: factor nfsd_lookup into 2 pieces NeilBrown
2007-07-10  2:25 ` [PATCH 011 of 20] knfsd: nfsd4: return nfserr_wrongsec NeilBrown
2007-07-10  2:26 ` [PATCH 012 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-13  7:27   ` Andrew Morton
2007-07-13  9:54     ` Christoph Hellwig
2007-07-10  2:27 ` [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags NeilBrown
2007-07-13  7:29   ` Andrew Morton
2007-07-18 23:05     ` [NFS] " J. Bruce Fields
2007-07-19  0:16       ` Neil Brown
2007-07-19 15:35         ` J. Bruce Fields
2007-07-20  2:21           ` Neil Brown
2007-07-20  4:22             ` Satyam Sharma
2007-07-20 22:18             ` [PATCH] knfsd: Fix typo in export display, print uid and gid as unsigned J. Bruce Fields
2007-07-19  0:18       ` [NFS] [PATCH 013 of 20] knfsd: nfsd: factor out code from show_expflags Andrew Morton
2007-07-10  2:27 ` [PATCH 014 of 20] knfsd: nfsd: display export secinfo information NeilBrown
2007-07-10  2:27 ` [PATCH 015 of 20] knfsd: nfsd4: make readonly access depend on pseudoflavor NeilBrown
2007-07-13  7:12   ` Andrew Morton
2007-07-13  8:47     ` Andrew Morton
2007-07-10  2:27 ` [PATCH 016 of 20] knfsd: rpc: add gss krb5 and spkm3 oid values NeilBrown
2007-07-10  2:28 ` [PATCH 017 of 20] knfsd: nfsd4: implement secinfo NeilBrown
2007-07-10  2:28 ` [PATCH 018 of 20] knfsd: nfsd4: secinfo handling without secinfo= option NeilBrown
2007-07-10  2:28 ` NeilBrown [this message]
2007-07-10  2:28 ` [PATCH 020 of 20] knfsd: nfsd: enforce per-flavor id squashing NeilBrown
2007-07-13  7:33 ` [PATCH 000 of 20] knfsd: Support 'secinfo' exports with related cleanups Andrew Morton
2007-07-13 18:10   ` J. Bruce Fields
2007-07-13 18:42     ` Andrew Morton
2007-07-18 22:57       ` J. Bruce Fields
     [not found]         ` <2ac9f179334dc7894bb58b1c2fb62837a07fbbdf.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57           ` [PATCH 1/5] nfsd: fix possible read-ahead cache and export table corruption J. Bruce Fields
     [not found]           ` <278646972e4b7eaf86d648d8ee2ae879f8b6b680.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57             ` [PATCH 2/5] nfsd: return errors, not NULL, from export functions J. Bruce Fields
     [not found]           ` <ca76105264283034a0f3d9d138bded79f5b2f87e.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57             ` [PATCH 3/5] nfsd: remove unnecessary NULL checks from nfsd_cross_mnt J. Bruce Fields
     [not found]           ` <fbbdd23e675df0288cf80243fdcd5e211fff855b.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57             ` [PATCH 4/5] knfsd: move EX_RDONLY out of header J. Bruce Fields
2007-07-19  8:28             ` [NFS] " Christoph Hellwig
2007-07-19  8:36               ` Andrew Morton
     [not found]           ` <986bf36dcb843bf352799fad5c20f1764748ce22.1184798679.git.bfields@citi.umich.edu>
2007-07-18 22:57             ` [PATCH 5/5] knfsd: clean up EX_RDONLY J. Bruce Fields
2007-07-19  8:29             ` [NFS] " Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1070710022816.13624@suse.de \
    --to=neilb@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nfs@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox