On 10/22/2015 04:58 PM, Frank Sorenson wrote: > > If a netgroup entry specifies an IP address, and that IP address > can be resolved to a name, the current match code in mountd only > tests whether the canonical name and any aliases are in the > netgroup, and does not test whether the IP address is in the netgroup. > > (IP addresses which do not resolve to a name are already checked > for membership in the netgroup) > > > The following demonstrates this issue: > > /etc/netgroup: > test_netgroup (127.0.0.1,-,-) > > /etc/exports: > /data @test_netgroup(rw,sync) > > # mkdir /data > # mkdir -p /mnt/test > # exportfs -a > # mount localhost:/data /mnt/test > > assuming that there is a localhost entry in /etc/hosts, this will fail: > mount.nfs: access denied by server while mounting localhost:/data > > > The patch below adds the code to test for the IP addresses in > the netgroup, and the mount now succeeds. > > > > Author: Frank Sorenson <sorenson@xxxxxxxxxx> > Date: Thu Oct 22 15:38:17 2015 -0500 > > mountd: fix netgroup lookup for resolvable IP addresses > > If a netgroup entry specifies an IP address, and that > IP address can be resolved to a name, mountd will > currently only test whether the canonical name and > any aliases are in the netgroup, and does not test > whether the IP address is in the netgroup (IP > addresses which do not resolve to a name are > already checked against the netgroup). > > This patch adds the check to see whether the IP > addresses are in the netgroup. > > > Signed-off-by: Frank Sorenson <sorenson@xxxxxxxxxx> Committed... steved. > > diff --git a/support/export/client.c b/support/export/client.c > index 95156f0..f6c58f2 100644 > --- a/support/export/client.c > +++ b/support/export/client.c > @@ -686,6 +686,21 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai) > } > } > > + /* check whether the IP itself is in the netgroup */ > + for (tmp = ai ; tmp != NULL ; tmp = tmp->ai_next) { > + free(hname); > + hname = calloc(INET6_ADDRSTRLEN, 1); > + > + if (inet_ntop(tmp->ai_family, &(((struct sockaddr_in *)tmp->ai_addr)->sin_addr), hname, INET6_ADDRSTRLEN) != hname) { > + xlog(D_GENERAL, " %s: unable to inet_ntop addrinfo %p: %m", __func__, tmp, errno); > + goto out; > + } > + if (innetgr(netgroup, hname, NULL, NULL)) { > + match = 1; > + goto out; > + } > + } > + > /* Okay, strip off the domain (if we have one) */ > dot = strchr(hname, '.'); > if (dot == NULL) > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html