On 12/01/2009 07:39 PM, J. Bruce Fields wrote:
> From: Steve Dickson <SteveD@xxxxxxxxxx>
>
> On V4ROOT exports, only accept filehandles that are the *root* of some
> export. This allows mountd to allow or deny access to individual paths
> and symlinks on the pseudofilesystem.
>
> Note that the checks in readdir and lookup are not enough, since a
> malicious host with access to the network could guess filehandles that
> they weren't able to obtain through lookup or readdir.
>
> Signed-Off-By: Steve Dickson <steved@xxxxxxxxxx>
> Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxxxxxx>
> ---
> fs/nfsd/nfsd.h | 4 ++++
> fs/nfsd/nfsfh.c | 35 +++++++++++++++++++++++++++++++++++
> fs/nfsd/vfs.c | 7 +------
> 3 files changed, 40 insertions(+), 6 deletions(-)
> create mode 100644 fs/nfsd/nfsd.h
>
> diff --git a/fs/nfsd/nfsd.h b/fs/nfsd/nfsd.h
> new file mode 100644
> index 0000000..7a1ad80
> --- /dev/null
> +++ b/fs/nfsd/nfsd.h
> @@ -0,0 +1,4 @@
> +static inline int nfsd_v4client(struct svc_rqst *rq)
> +{
> + return rq->rq_prog == NFS_PROGRAM && rq->rq_vers == 4;
> +}
> diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
> index a77efb8..9b902c0 100644
> --- a/fs/nfsd/nfsfh.c
> +++ b/fs/nfsd/nfsfh.c
> @@ -22,6 +22,7 @@
> #include <linux/sunrpc/svc.h>
> #include <linux/sunrpc/svcauth_gss.h>
> #include <linux/nfsd/nfsd.h>
> +#include "nfsd.h"
> #include "vfs.h"
> #include "auth.h"
>
> @@ -110,6 +111,36 @@ static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
> return nfserrno(nfsd_setuser(rqstp, exp));
> }
>
> +static inline __be32 check_pseudo_root(struct svc_rqst *rqstp,
> + struct dentry *dentry, struct svc_export *exp)
> +{
> + if (!(exp->ex_flags & NFSEXP_V4ROOT))
> + return nfs_ok;
> + /*
> + * v2/v3 clients have no need for the V4ROOT export--they use
> + * the mount protocl instead; also, further V4ROOT checks may be
> + * in v4-specific code, in which case v2/v3 clients could bypass
> + * them.
> + */
> + if (!nfsd_v4client(rqstp))
> + return nfserr_stale;
> + /*
> + * We're exposing only the directories and symlinks that have to be
> + * traversed on the way to real exports:
> + */
> + if (unlikely(!S_ISDIR(dentry->d_inode->i_mode) &&
> + !S_ISLNK(dentry->d_inode->i_mode)))
> + return nfserr_stale;
> + /*
> + * A pseudoroot export gives permission to access only one
> + * single directory; the kernel has to make another upcall
> + * before granting access to anything else under it:
> + */
> + if (unlikely(dentry->d_parent != exp->ex_path.dentry))
Remember this is wrong... it needs to be
- if (unlikely(dentry->d_parent != exp->ex_path.dentry))
+ if (unlikely(dentry != exp->ex_path.dentry))
steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
