On 10/22/2015 04:58 PM, Frank Sorenson wrote:
>
> If a netgroup entry specifies an IP address, and that IP address
> can be resolved to a name, the current match code in mountd only
> tests whether the canonical name and any aliases are in the
> netgroup, and does not test whether the IP address is in the netgroup.
>
> (IP addresses which do not resolve to a name are already checked
> for membership in the netgroup)
>
>
> The following demonstrates this issue:
>
> /etc/netgroup:
> test_netgroup (127.0.0.1,-,-)
>
> /etc/exports:
> /data @test_netgroup(rw,sync)
>
> # mkdir /data
> # mkdir -p /mnt/test
> # exportfs -a
> # mount localhost:/data /mnt/test
>
> assuming that there is a localhost entry in /etc/hosts, this will fail:
> mount.nfs: access denied by server while mounting localhost:/data
>
>
> The patch below adds the code to test for the IP addresses in
> the netgroup, and the mount now succeeds.
>
>
>
> Author: Frank Sorenson <sorenson@xxxxxxxxxx>
> Date: Thu Oct 22 15:38:17 2015 -0500
>
> mountd: fix netgroup lookup for resolvable IP addresses
>
> If a netgroup entry specifies an IP address, and that
> IP address can be resolved to a name, mountd will
> currently only test whether the canonical name and
> any aliases are in the netgroup, and does not test
> whether the IP address is in the netgroup (IP
> addresses which do not resolve to a name are
> already checked against the netgroup).
>
> This patch adds the check to see whether the IP
> addresses are in the netgroup.
>
>
> Signed-off-by: Frank Sorenson <sorenson@xxxxxxxxxx>
Committed...
steved.
>
> diff --git a/support/export/client.c b/support/export/client.c
> index 95156f0..f6c58f2 100644
> --- a/support/export/client.c
> +++ b/support/export/client.c
> @@ -686,6 +686,21 @@ check_netgroup(const nfs_client *clp, const struct addrinfo *ai)
> }
> }
>
> + /* check whether the IP itself is in the netgroup */
> + for (tmp = ai ; tmp != NULL ; tmp = tmp->ai_next) {
> + free(hname);
> + hname = calloc(INET6_ADDRSTRLEN, 1);
> +
> + if (inet_ntop(tmp->ai_family, &(((struct sockaddr_in *)tmp->ai_addr)->sin_addr), hname, INET6_ADDRSTRLEN) != hname) {
> + xlog(D_GENERAL, " %s: unable to inet_ntop addrinfo %p: %m", __func__, tmp, errno);
> + goto out;
> + }
> + if (innetgr(netgroup, hname, NULL, NULL)) {
> + match = 1;
> + goto out;
> + }
> + }
> +
> /* Okay, strip off the domain (if we have one) */
> dot = strchr(hname, '.');
> if (dot == NULL)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
