mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-11-01 09:13:37 +00:00
NFSv4: Fix security auto-negotiation
NFSv4 security auto-negotiation has been broken since
commit 4580a92d44 (NFS:
Use server-recommended security flavor by default (NFSv3))
because nfs4_try_mount() will automatically select AUTH_SYS
if it sees no auth flavours.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Trond Myklebust
parent
19e7b8d240
commit
5e6b19901b
6 changed files with 30 additions and 18 deletions
|
|
@ -358,7 +358,7 @@ extern struct dentry *nfs_get_root(struct super_block *, struct nfs_fh *,
|
|||
extern struct dentry *nfs4_get_root(struct super_block *, struct nfs_fh *,
|
||||
const char *);
|
||||
|
||||
extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh);
|
||||
extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool);
|
||||
#endif
|
||||
|
||||
struct nfs_pgio_completion_ops;
|
||||
|
|
|
|||
|
|
@ -221,7 +221,7 @@ struct vfsmount *nfs4_submount(struct nfs_server *, struct dentry *,
|
|||
/* nfs4proc.c */
|
||||
extern int nfs4_proc_setclientid(struct nfs_client *, u32, unsigned short, struct rpc_cred *, struct nfs4_setclientid_res *);
|
||||
extern int nfs4_proc_setclientid_confirm(struct nfs_client *, struct nfs4_setclientid_res *arg, struct rpc_cred *);
|
||||
extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *);
|
||||
extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *, bool);
|
||||
extern int nfs4_proc_bind_conn_to_session(struct nfs_client *, struct rpc_cred *cred);
|
||||
extern int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred);
|
||||
extern int nfs4_destroy_clientid(struct nfs_client *clp);
|
||||
|
|
|
|||
|
|
@ -885,7 +885,7 @@ static void nfs4_session_set_rwsize(struct nfs_server *server)
|
|||
}
|
||||
|
||||
static int nfs4_server_common_setup(struct nfs_server *server,
|
||||
struct nfs_fh *mntfh)
|
||||
struct nfs_fh *mntfh, bool auth_probe)
|
||||
{
|
||||
struct nfs_fattr *fattr;
|
||||
int error;
|
||||
|
|
@ -917,7 +917,7 @@ static int nfs4_server_common_setup(struct nfs_server *server,
|
|||
|
||||
|
||||
/* Probe the root fh to retrieve its FSID and filehandle */
|
||||
error = nfs4_get_rootfh(server, mntfh);
|
||||
error = nfs4_get_rootfh(server, mntfh, auth_probe);
|
||||
if (error < 0)
|
||||
goto out;
|
||||
|
||||
|
|
@ -949,6 +949,7 @@ out:
|
|||
static int nfs4_init_server(struct nfs_server *server,
|
||||
const struct nfs_parsed_mount_data *data)
|
||||
{
|
||||
rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
|
||||
struct rpc_timeout timeparms;
|
||||
int error;
|
||||
|
||||
|
|
@ -961,13 +962,16 @@ static int nfs4_init_server(struct nfs_server *server,
|
|||
server->flags = data->flags;
|
||||
server->options = data->options;
|
||||
|
||||
if (data->auth_flavor_len >= 1)
|
||||
pseudoflavor = data->auth_flavors[0];
|
||||
|
||||
/* Get a client record */
|
||||
error = nfs4_set_client(server,
|
||||
data->nfs_server.hostname,
|
||||
(const struct sockaddr *)&data->nfs_server.address,
|
||||
data->nfs_server.addrlen,
|
||||
data->client_address,
|
||||
data->auth_flavors[0],
|
||||
pseudoflavor,
|
||||
data->nfs_server.protocol,
|
||||
&timeparms,
|
||||
data->minorversion,
|
||||
|
|
@ -987,7 +991,7 @@ static int nfs4_init_server(struct nfs_server *server,
|
|||
|
||||
server->port = data->nfs_server.port;
|
||||
|
||||
error = nfs_init_server_rpcclient(server, &timeparms, data->auth_flavors[0]);
|
||||
error = nfs_init_server_rpcclient(server, &timeparms, pseudoflavor);
|
||||
|
||||
error:
|
||||
/* Done */
|
||||
|
|
@ -1005,6 +1009,7 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
|
|||
struct nfs_subversion *nfs_mod)
|
||||
{
|
||||
struct nfs_server *server;
|
||||
bool auth_probe;
|
||||
int error;
|
||||
|
||||
dprintk("--> nfs4_create_server()\n");
|
||||
|
|
@ -1013,12 +1018,14 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
|
|||
if (!server)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
auth_probe = mount_info->parsed->auth_flavor_len < 1;
|
||||
|
||||
/* set up the general RPC client */
|
||||
error = nfs4_init_server(server, mount_info->parsed);
|
||||
if (error < 0)
|
||||
goto error;
|
||||
|
||||
error = nfs4_server_common_setup(server, mount_info->mntfh);
|
||||
error = nfs4_server_common_setup(server, mount_info->mntfh, auth_probe);
|
||||
if (error < 0)
|
||||
goto error;
|
||||
|
||||
|
|
@ -1071,7 +1078,7 @@ struct nfs_server *nfs4_create_referral_server(struct nfs_clone_mount *data,
|
|||
if (error < 0)
|
||||
goto error;
|
||||
|
||||
error = nfs4_server_common_setup(server, mntfh);
|
||||
error = nfs4_server_common_setup(server, mntfh, false);
|
||||
if (error < 0)
|
||||
goto error;
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
#define NFSDBG_FACILITY NFSDBG_CLIENT
|
||||
|
||||
int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh)
|
||||
int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool auth_probe)
|
||||
{
|
||||
struct nfs_fsinfo fsinfo;
|
||||
int ret = -ENOMEM;
|
||||
|
|
@ -21,7 +21,7 @@ int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh)
|
|||
goto out;
|
||||
|
||||
/* Start by getting the root filehandle from the server */
|
||||
ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo);
|
||||
ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo, auth_probe);
|
||||
if (ret < 0) {
|
||||
dprintk("nfs4_get_rootfh: getroot error = %d\n", -ret);
|
||||
goto out;
|
||||
|
|
|
|||
|
|
@ -2884,18 +2884,27 @@ static int nfs4_do_find_root_sec(struct nfs_server *server,
|
|||
* @server: initialized nfs_server handle
|
||||
* @fhandle: we fill in the pseudo-fs root file handle
|
||||
* @info: we fill in an FSINFO struct
|
||||
* @auth_probe: probe the auth flavours
|
||||
*
|
||||
* Returns zero on success, or a negative errno.
|
||||
*/
|
||||
int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle,
|
||||
struct nfs_fsinfo *info)
|
||||
struct nfs_fsinfo *info,
|
||||
bool auth_probe)
|
||||
{
|
||||
int status;
|
||||
|
||||
status = nfs4_lookup_root(server, fhandle, info);
|
||||
if ((status == -NFS4ERR_WRONGSEC) &&
|
||||
!(server->flags & NFS_MOUNT_SECFLAVOUR))
|
||||
switch (auth_probe) {
|
||||
case false:
|
||||
status = nfs4_lookup_root(server, fhandle, info);
|
||||
if (status != -NFS4ERR_WRONGSEC)
|
||||
break;
|
||||
/* Did user force a 'sec=' mount option? */
|
||||
if (server->flags & NFS_MOUNT_SECFLAVOUR)
|
||||
break;
|
||||
default:
|
||||
status = nfs4_do_find_root_sec(server, fhandle, info);
|
||||
}
|
||||
|
||||
if (status == 0)
|
||||
status = nfs4_server_capabilities(server, fhandle);
|
||||
|
|
|
|||
|
|
@ -253,10 +253,6 @@ struct dentry *nfs4_try_mount(int flags, const char *dev_name,
|
|||
|
||||
dfprintk(MOUNT, "--> nfs4_try_mount()\n");
|
||||
|
||||
if (data->auth_flavor_len < 1) {
|
||||
data->auth_flavors[0] = RPC_AUTH_UNIX;
|
||||
data->auth_flavor_len = 1;
|
||||
}
|
||||
export_path = data->nfs_server.export_path;
|
||||
data->nfs_server.export_path = "/";
|
||||
root_mnt = nfs_do_root_mount(&nfs4_remote_fs_type, flags, mount_info,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue