[PATCH 2/5] nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Pali Rohár" <pali@kernel.org>
To: Trond Myklebust <trondmy@kernel.org>, Anna Schumaker <anna@kernel.org>
Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 2/5] nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures
Date: Thu, 12 Sep 2024 15:02:17 +0200	[thread overview]
Message-ID: <20240912130220.17032-3-pali@kernel.org> (raw)
In-Reply-To: <20240912130220.17032-1-pali@kernel.org>

Linux NFS3 server returns NFS3ERR_ACCESS for PATHCONF procedure if
client-selected auth flavor is not enabled for export which is being
mounted. Ignoring this error results in choosing wrong auth flavor during
mount and so making the mount point inaccessible. It is because Linux NFS3
server allows to call other procedures used during mount time (FSINFO and
GETATTR) also with auth flavor which is explicitly disabled on particular
export.

This is particularly problem with mounting AUTH_NULL-only exports from
Linux NFS3 server as kernel client first try to use AUTH_UNIX auth flavor,
even when AUTH_UNIX is not announced by the MNTv3 server.

Do not propagate this failure for other auth methods, like GSS, as Linux
NFS3 server expects that accessing root export GSS dir may be done also by
other auth methods.

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
---
 fs/nfs/client.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8286edd6062d..5171ae112355 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -864,7 +864,19 @@ static int nfs_probe_fsinfo(struct nfs_server *server, struct nfs_fh *mntfh, str
 		pathinfo.fattr = fattr;
 		nfs_fattr_init(fattr);

-		if (clp->rpc_ops->pathconf(server, mntfh, &pathinfo) >= 0)
+		error = clp->rpc_ops->pathconf(server, mntfh, &pathinfo);
+		/*
+		 * Linux NFS3 server for PATHCONF procedure returns back error
+		 * NFS3ERR_ACCESS when selected auth flavor is not enabled for
+		 * export. For auth flavors without authentication (none and
+		 * sys) propagate error back to nfs_probe_server() caller and
+		 * allow to choose different auth flavor.
+		 */
+		if (error == -EACCES && (
+		     server->client->cl_auth->au_flavor == RPC_AUTH_UNIX ||
+		     server->client->cl_auth->au_flavor == RPC_AUTH_NULL))
+			return error;
+		else if (error >= 0)
 			server->namelen = pathinfo.max_namelen;
 	}

-- 
2.20.1

next prev parent reply	other threads:[~2024-09-12 13:02 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-12 13:02 [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports Pali Rohár
2024-09-12 13:02 ` [PATCH 1/5] nfs: Fix support for NFS3 mount with -o sec=none from Linux MNTv3 server Pali Rohár
2024-09-12 13:02 ` Pali Rohár [this message]
2024-09-12 13:02 ` [PATCH 3/5] nfs: Try to use AUTH_NULL for NFS3 mount when no -o sec was given Pali Rohár
2024-09-12 13:02 ` [PATCH 4/5] nfs: Fix -o sec=none output in /proc/mounts Pali Rohár
2024-09-12 13:02 ` [PATCH 5/5] nfs: Remove duplicate debug message 'using auth flavor' Pali Rohár
2024-09-12 21:06 ` [PATCH 0/5] nfs: Fix mounting NFS3 AUTH_NULL exports Anna Schumaker
2024-09-12 21:11   ` Pali Rohár
2024-10-05 15:15 ` Pali Rohár
2024-10-28  9:54   ` Pali Rohár
2024-12-22 16:40 ` Pali Rohár
2025-04-18 18:03   ` Pali Rohár
2025-05-04  8:48     ` Pali Rohár
2025-05-18  9:57       ` Pali Rohár
2025-09-20 13:35 ` Pali Rohár

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8286edd6062 dfblob:5171ae11235 )
 OR (
bs:"[PATCH 2/5] nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240912130220.17032-3-pali@kernel.org \
    --to=pali@kernel.org \
    --cc=anna@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trondmy@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox