> On Mar 8, 2018, at 4:26 PM, J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote:
>
> On Thu, Mar 08, 2018 at 03:24:23PM -0500, bfields wrote:
>> Looks like knfsd's not helpful here, though: the export option
>> ("secure"/"insecure") defaults to "secure", which always requires a low
>> port. It should be easy to modify "secure" to mean "require low ports
>> only for auth_sys/auth_null", and that's probably the right thing to do.
>
> Disclaimer: totally untested.
>
> --b.
>
> commit ddc2a5f5ce98
> Author: J. Bruce Fields <bfields@xxxxxxxxxx>
> Date: Thu Mar 8 15:49:48 2018 -0500
>
> nfsd: don't require low ports for gss requests
>
> In a traditional NFS deployment using auth_unix, the clients are trusted
> to correctly report the credentials of their logged-in users. The
> server assumes that only root on client machines is allowed to send
> requests from low-numbered ports, so it can use the originating port
> number to distinguish "real" NFS clients from NFS clients run by
> ordinary users, to prevent ordinary users from spoofing credentials.
>
> The originating port number on a gss-authenticated request is less
> important. The authentication ties the request to a user, and we take
> it as proof that that user authorized the request. The low port number
> check no longer adds much.
>
> So, don't enforce low port numbers in the auth_gss case.
>
> Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx>
Looks plausible to me, and I like the approach.
Reviewed-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
> index 8aa011820c4a..764e6cae6533 100644
> --- a/fs/nfsd/nfsfh.c
> +++ b/fs/nfsd/nfsfh.c
> @@ -87,13 +87,23 @@ nfsd_mode_check(struct svc_rqst *rqstp, struct dentry *dentry,
> return nfserr_inval;
> }
>
> +static bool nfsd_originating_port_ok(struct svc_rqst *rqstp, int flags)
> +{
> + if (flags & NFSEXP_INSECURE_PORT)
> + return true;
> + /* We don't require gss requests to use low ports: */
> + if (rqstp->rq_cred.cr_flavor >= RPC_AUTH_GSS)
> + return true;
> + return test_bit(RQ_SECURE, &rqstp->rq_flags);
> +}
> +
> static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
> struct svc_export *exp)
> {
> int flags = nfsexp_flags(rqstp, exp);
>
> /* Check if the request originated from a secure port. */
> - if (!test_bit(RQ_SECURE, &rqstp->rq_flags) && !(flags & NFSEXP_INSECURE_PORT)) {
> + if (!nfsd_originating_port_ok(rqstp, flags)) {
> RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]);
> dprintk("nfsd: request from insecure port %s!\n",
> svc_print_addr(rqstp, buf, sizeof(buf)));
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Libtirpc-devel mailing list
> Libtirpc-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/libtirpc-devel
--
Chuck Lever
chucklever@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
