Commit bb4f07f2 authored by Pali Rohár's avatar Pali Rohár Committed by Chuck Lever
Browse files

nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT 



Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass
only GSS, but bypass any method. This is a problem specially for NFS3
AUTH_NULL-only exports.

The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623,
section 2.3.2, to allow mounting NFS2/3 GSS-only export without
authentication. So few procedures which do not expose security risk used
during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow
client mount operation to finish successfully.

The problem with current implementation is that for AUTH_NULL-only exports,
the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount
attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is
enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to
AUTH_NONE on active mount, which makes the mount inaccessible.

Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation
and really allow to bypass only exports which have enabled some real
authentication (GSS, TLS, or any other).

The result would be: For AUTH_NULL-only export if client attempts to do
mount with AUTH_UNIX flavor then it will receive access errors, which
instruct client that AUTH_UNIX flavor is not usable and will either try
other auth flavor (AUTH_NULL if enabled) or fails mount procedure.
Similarly if client attempt to do mount with AUTH_NULL flavor and only
AUTH_UNIX flavor is enabled then the client will receive access error.

This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if
client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for
AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export).

Signed-off-by: default avatarPali Rohár <pali@kernel.org>
Reviewed-by: default avatarNeilBrown <neilb@suse.de>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent 60002092

fs/nfsd/export.c

+20 −1
Original line number Diff line number Diff line
@@ -1078,12 +1078,14 @@ static struct svc_export *exp_find(struct cache_detail *cd, 
 * check_nfsd_access - check if access to export is allowed.

 * @exp: svc_export that is being accessed.

 * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO).

 * @may_bypass_gss: reduce strictness of authorization check

 *

 * Return values:

 *   %nfs_ok if access is granted, or

 *   %nfserr_wrongsec if access is denied

 */

__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)

__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,

			 bool may_bypass_gss)

{

	struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;

	struct svc_xprt *xprt;
@@ -1140,6 +1142,23 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) 
	if (nfsd4_spo_must_allow(rqstp))

		return nfs_ok;



	/* Some calls may be processed without authentication

	 * on GSS exports. For example NFS2/3 calls on root

	 * directory, see section 2.3.2 of rfc 2623.

	 * For "may_bypass_gss" check that export has really

	 * enabled some flavor with authentication (GSS or any

	 * other) and also check that the used auth flavor is

	 * without authentication (none or sys).

	 */

	if (may_bypass_gss && (

	     rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL ||

	     rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) {

		for (f = exp->ex_flavors; f < end; f++) {

			if (f->pseudoflavor >= RPC_AUTH_DES)

				return 0;

		}

	}



denied:

	return nfserr_wrongsec;

}

fs/nfsd/export.h

+2 −1
Original line number Diff line number Diff line
@@ -101,7 +101,8 @@ struct svc_expkey { 


struct svc_cred;

int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp);

__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);

__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,

			 bool may_bypass_gss);



/*

 * Function declarations

fs/nfsd/nfs4proc.c

+1 −1
Original line number Diff line number Diff line
@@ -2797,7 +2797,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) 


			if (current_fh->fh_export &&

					need_wrongsec_check(rqstp))

				op->status = check_nfsd_access(current_fh->fh_export, rqstp);

				op->status = check_nfsd_access(current_fh->fh_export, rqstp, false);

		}

encode_op:

		if (op->status == nfserr_replay_me) {

fs/nfsd/nfs4xdr.c

+1 −1
Original line number Diff line number Diff line
@@ -3767,7 +3767,7 @@ nfsd4_encode_entry4_fattr(struct nfsd4_readdir *cd, const char *name, 
			nfserr = nfserrno(err);

			goto out_put;

		}

		nfserr = check_nfsd_access(exp, cd->rd_rqstp);

		nfserr = check_nfsd_access(exp, cd->rd_rqstp, false);

		if (nfserr)

			goto out_put;

fs/nfsd/nfsfh.c

+6 −3
Original line number Diff line number Diff line
@@ -320,6 +320,7 @@ __fh_verify(struct svc_rqst *rqstp, 
{

	struct nfsd_net *nn = net_generic(net, nfsd_net_id);

	struct svc_export *exp = NULL;

	bool may_bypass_gss = false;

	struct dentry	*dentry;

	__be32		error;
@@ -367,8 +368,10 @@ __fh_verify(struct svc_rqst *rqstp, 
	 * which clients virtually always use auth_sys for,

	 * even while using RPCSEC_GSS for NFS.

	 */

	if (access & NFSD_MAY_LOCK || access & NFSD_MAY_BYPASS_GSS)

	if (access & NFSD_MAY_LOCK)

		goto skip_pseudoflavor_check;

	if (access & NFSD_MAY_BYPASS_GSS)

		may_bypass_gss = true;

	/*

	 * Clients may expect to be able to use auth_sys during mount,

	 * even if they use gss for everything else; see section 2.3.2
@@ -376,9 +379,9 @@ __fh_verify(struct svc_rqst *rqstp, 
	 */

	if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT

			&& exp->ex_path.dentry == dentry)

		goto skip_pseudoflavor_check;

		may_bypass_gss = true;



	error = check_nfsd_access(exp, rqstp);

	error = check_nfsd_access(exp, rqstp, may_bypass_gss);

	if (error)

		goto out;