diff mbox

NFSv3: match sec= flavor against server list

Message ID 1367874733-4746-1-git-send-email-dros@netapp.com (mailing list archive)
State New, archived
Headers show

Commit Message

Weston Andros Adamson May 6, 2013, 9:12 p.m. UTC
Older linux clients match the 'sec=' mount option flavor against the server's
flavor list (if available) and return EPERM if the specified flavor or AUTH_NULL
(which "matches" any flavor) is not found.

Recent changes skip this step and allow the vfs mount even though no operations
will succeed, creating a 'dud' mount.

This patch reverts back to the old behavior of matching specified flavors
against the server list and also returns EPERM when no sec= is specified and
none of the flavors returned by the server are supported by the client.

Example of behavior change:

the server's /etc/exports:

/export/krb5      *(sec=krb5,rw,no_root_squash)

old client behavior:

$ uname -a
Linux one.apikia.fake 3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ sudo mount -v -o sec=sys,vers=3 zero:/export/krb5 /mnt
mount.nfs: timeout set for Sun May  5 17:32:04 2013
mount.nfs: trying text-based options 'sec=sys,vers=3,addr=192.168.100.10'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.100.10 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.100.10 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting zero:/export/krb5

recently changed behavior:

$ uname -a
Linux one.apikia.fake 3.9.0-testing+ #2 SMP Fri May 3 20:29:32 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
$ sudo mount -v -o sec=sys,vers=3 zero:/export/krb5 /mnt
mount.nfs: timeout set for Sun May  5 17:37:17 2013
mount.nfs: trying text-based options 'sec=sys,vers=3,addr=192.168.100.10'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.100.10 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.100.10 prog 100005 vers 3 prot UDP port 20048
$ ls /mnt
ls: cannot open directory /mnt: Permission denied
$ sudo ls /mnt
ls: cannot open directory /mnt: Permission denied
$ sudo df /mnt
df: ‘/mnt’: Permission denied
df: no file systems processed
$ sudo umount /mnt
$

Signed-off-by: Weston Andros Adamson <dros@netapp.com>
---

V4 - better readability, better comments

 fs/nfs/super.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 7 deletions(-)

Comments

Trond Myklebust May 6, 2013, 9:25 p.m. UTC | #1
T24gTW9uLCAyMDEzLTA1LTA2IGF0IDE3OjEyIC0wNDAwLCBXZXN0b24gQW5kcm9zIEFkYW1zb24g
d3JvdGU6DQo+IE9sZGVyIGxpbnV4IGNsaWVudHMgbWF0Y2ggdGhlICdzZWM9JyBtb3VudCBvcHRp
b24gZmxhdm9yIGFnYWluc3QgdGhlIHNlcnZlcidzDQo+IGZsYXZvciBsaXN0IChpZiBhdmFpbGFi
bGUpIGFuZCByZXR1cm4gRVBFUk0gaWYgdGhlIHNwZWNpZmllZCBmbGF2b3Igb3IgQVVUSF9OVUxM
DQo+ICh3aGljaCAibWF0Y2hlcyIgYW55IGZsYXZvcikgaXMgbm90IGZvdW5kLg0KPiANCj4gUmVj
ZW50IGNoYW5nZXMgc2tpcCB0aGlzIHN0ZXAgYW5kIGFsbG93IHRoZSB2ZnMgbW91bnQgZXZlbiB0
aG91Z2ggbm8gb3BlcmF0aW9ucw0KPiB3aWxsIHN1Y2NlZWQsIGNyZWF0aW5nIGEgJ2R1ZCcgbW91
bnQuDQo+IA0KPiBUaGlzIHBhdGNoIHJldmVydHMgYmFjayB0byB0aGUgb2xkIGJlaGF2aW9yIG9m
IG1hdGNoaW5nIHNwZWNpZmllZCBmbGF2b3JzDQo+IGFnYWluc3QgdGhlIHNlcnZlciBsaXN0IGFu
ZCBhbHNvIHJldHVybnMgRVBFUk0gd2hlbiBubyBzZWM9IGlzIHNwZWNpZmllZCBhbmQNCj4gbm9u
ZSBvZiB0aGUgZmxhdm9ycyByZXR1cm5lZCBieSB0aGUgc2VydmVyIGFyZSBzdXBwb3J0ZWQgYnkg
dGhlIGNsaWVudC4NCj4gDQo+IEV4YW1wbGUgb2YgYmVoYXZpb3IgY2hhbmdlOg0KPiANCj4gdGhl
IHNlcnZlcidzIC9ldGMvZXhwb3J0czoNCj4gDQo+IC9leHBvcnQva3JiNSAgICAgICooc2VjPWty
YjUscncsbm9fcm9vdF9zcXVhc2gpDQo+IA0KPiBvbGQgY2xpZW50IGJlaGF2aW9yOg0KPiANCj4g
JCB1bmFtZSAtYQ0KPiBMaW51eCBvbmUuYXBpa2lhLmZha2UgMy44LjgtMjAyLmZjMTgueDg2XzY0
ICMxIFNNUCBXZWQgQXByIDE3IDIzOjI1OjE3IFVUQyAyMDEzIHg4Nl82NCB4ODZfNjQgeDg2XzY0
IEdOVS9MaW51eA0KPiAkIHN1ZG8gbW91bnQgLXYgLW8gc2VjPXN5cyx2ZXJzPTMgemVybzovZXhw
b3J0L2tyYjUgL21udA0KPiBtb3VudC5uZnM6IHRpbWVvdXQgc2V0IGZvciBTdW4gTWF5ICA1IDE3
OjMyOjA0IDIwMTMNCj4gbW91bnQubmZzOiB0cnlpbmcgdGV4dC1iYXNlZCBvcHRpb25zICdzZWM9
c3lzLHZlcnM9MyxhZGRyPTE5Mi4xNjguMTAwLjEwJw0KPiBtb3VudC5uZnM6IHByb2cgMTAwMDAz
LCB0cnlpbmcgdmVycz0zLCBwcm90PTYNCj4gbW91bnQubmZzOiB0cnlpbmcgMTkyLjE2OC4xMDAu
MTAgcHJvZyAxMDAwMDMgdmVycyAzIHByb3QgVENQIHBvcnQgMjA0OQ0KPiBtb3VudC5uZnM6IHBy
b2cgMTAwMDA1LCB0cnlpbmcgdmVycz0zLCBwcm90PTE3DQo+IG1vdW50Lm5mczogdHJ5aW5nIDE5
Mi4xNjguMTAwLjEwIHByb2cgMTAwMDA1IHZlcnMgMyBwcm90IFVEUCBwb3J0IDIwMDQ4DQo+IG1v
dW50Lm5mczogbW91bnQoMik6IFBlcm1pc3Npb24gZGVuaWVkDQo+IG1vdW50Lm5mczogYWNjZXNz
IGRlbmllZCBieSBzZXJ2ZXIgd2hpbGUgbW91bnRpbmcgemVybzovZXhwb3J0L2tyYjUNCj4gDQo+
IHJlY2VudGx5IGNoYW5nZWQgYmVoYXZpb3I6DQo+IA0KPiAkIHVuYW1lIC1hDQo+IExpbnV4IG9u
ZS5hcGlraWEuZmFrZSAzLjkuMC10ZXN0aW5nKyAjMiBTTVAgRnJpIE1heSAzIDIwOjI5OjMyIEVE
VCAyMDEzIHg4Nl82NCB4ODZfNjQgeDg2XzY0IEdOVS9MaW51eA0KPiAkIHN1ZG8gbW91bnQgLXYg
LW8gc2VjPXN5cyx2ZXJzPTMgemVybzovZXhwb3J0L2tyYjUgL21udA0KPiBtb3VudC5uZnM6IHRp
bWVvdXQgc2V0IGZvciBTdW4gTWF5ICA1IDE3OjM3OjE3IDIwMTMNCj4gbW91bnQubmZzOiB0cnlp
bmcgdGV4dC1iYXNlZCBvcHRpb25zICdzZWM9c3lzLHZlcnM9MyxhZGRyPTE5Mi4xNjguMTAwLjEw
Jw0KPiBtb3VudC5uZnM6IHByb2cgMTAwMDAzLCB0cnlpbmcgdmVycz0zLCBwcm90PTYNCj4gbW91
bnQubmZzOiB0cnlpbmcgMTkyLjE2OC4xMDAuMTAgcHJvZyAxMDAwMDMgdmVycyAzIHByb3QgVENQ
IHBvcnQgMjA0OQ0KPiBtb3VudC5uZnM6IHByb2cgMTAwMDA1LCB0cnlpbmcgdmVycz0zLCBwcm90
PTE3DQo+IG1vdW50Lm5mczogdHJ5aW5nIDE5Mi4xNjguMTAwLjEwIHByb2cgMTAwMDA1IHZlcnMg
MyBwcm90IFVEUCBwb3J0IDIwMDQ4DQo+ICQgbHMgL21udA0KPiBsczogY2Fubm90IG9wZW4gZGly
ZWN0b3J5IC9tbnQ6IFBlcm1pc3Npb24gZGVuaWVkDQo+ICQgc3VkbyBscyAvbW50DQo+IGxzOiBj
YW5ub3Qgb3BlbiBkaXJlY3RvcnkgL21udDogUGVybWlzc2lvbiBkZW5pZWQNCj4gJCBzdWRvIGRm
IC9tbnQNCj4gZGY6IOKAmC9tbnTigJk6IFBlcm1pc3Npb24gZGVuaWVkDQo+IGRmOiBubyBmaWxl
IHN5c3RlbXMgcHJvY2Vzc2VkDQo+ICQgc3VkbyB1bW91bnQgL21udA0KPiAkDQo+IA0KPiBTaWdu
ZWQtb2ZmLWJ5OiBXZXN0b24gQW5kcm9zIEFkYW1zb24gPGRyb3NAbmV0YXBwLmNvbT4NCj4gLS0t
DQo+IA0KPiBWNCAtIGJldHRlciByZWFkYWJpbGl0eSwgYmV0dGVyIGNvbW1lbnRzDQo+IA0KPiAg
ZnMvbmZzL3N1cGVyLmMgfCA0OCArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr
KysrKy0tLS0tLS0NCj4gIDEgZmlsZSBjaGFuZ2VkLCA0MSBpbnNlcnRpb25zKCspLCA3IGRlbGV0
aW9ucygtKQ0KPiANCj4gZGlmZiAtLWdpdCBhL2ZzL25mcy9zdXBlci5jIGIvZnMvbmZzL3N1cGVy
LmMNCj4gaW5kZXggZWI0OTRmNi4uNTNjMjY1NyAxMDA2NDQNCj4gLS0tIGEvZnMvbmZzL3N1cGVy
LmMNCj4gKysrIGIvZnMvbmZzL3N1cGVyLmMNCj4gQEAgLTE2MTAsMTYgKzE2MTAsMTUgQEAgb3V0
X3NlY3VyaXR5X2ZhaWx1cmU6DQo+ICAvKg0KPiAgICogU2VsZWN0IGEgc2VjdXJpdHkgZmxhdm9y
IGZvciB0aGlzIG1vdW50LiAgVGhlIHNlbGVjdGVkIGZsYXZvcg0KPiAgICogaXMgcGxhbnRlZCBp
biBhcmdzLT5hdXRoX2ZsYXZvcnNbMF0uDQo+ICsgKg0KPiArICogUmV0dXJucyAwIG9uIHN1Y2Nl
c3MsIC1FQUNDRVMgb24gZmFpbHVyZS4NCj4gICAqLw0KPiAtc3RhdGljIHZvaWQgbmZzX3NlbGVj
dF9mbGF2b3Ioc3RydWN0IG5mc19wYXJzZWRfbW91bnRfZGF0YSAqYXJncywNCj4gK3N0YXRpYyBp
bnQgbmZzX3NlbGVjdF9mbGF2b3Ioc3RydWN0IG5mc19wYXJzZWRfbW91bnRfZGF0YSAqYXJncywN
Cj4gIAkJCSAgICAgIHN0cnVjdCBuZnNfbW91bnRfcmVxdWVzdCAqcmVxdWVzdCkNCj4gIHsNCj4g
IAl1bnNpZ25lZCBpbnQgaSwgY291bnQgPSAqKHJlcXVlc3QtPmF1dGhfZmxhdl9sZW4pOw0KPiAg
CXJwY19hdXRoZmxhdm9yX3QgZmxhdm9yOw0KPiAgDQo+IC0JaWYgKGFyZ3MtPmF1dGhfZmxhdm9y
c1swXSAhPSBSUENfQVVUSF9NQVhGTEFWT1IpDQo+IC0JCWdvdG8gb3V0Ow0KPiAtDQo+ICAJLyoN
Cj4gIAkgKiBUaGUgTkZTdjIgTU5UIG9wZXJhdGlvbiBkb2VzIG5vdCByZXR1cm4gYSBmbGF2b3Ig
bGlzdC4NCj4gIAkgKi8NCj4gQEAgLTE2MzQsNiArMTYzMywyNSBAQCBzdGF0aWMgdm9pZCBuZnNf
c2VsZWN0X2ZsYXZvcihzdHJ1Y3QgbmZzX3BhcnNlZF9tb3VudF9kYXRhICphcmdzLA0KPiAgCQln
b3RvIG91dF9kZWZhdWx0Ow0KPiAgDQo+ICAJLyoNCj4gKwkgKiBJZiB0aGUgc2VjPSBtb3VudCBv
cHRpb24gaXMgdXNlZCwgdGhlIHNwZWNpZmllZCBmbGF2b3Igb3IgQVVUSF9OVUxMDQo+ICsJICog
bXVzdCBiZSBpbiB0aGUgbGlzdCByZXR1cm5lZCBieSB0aGUgc2VydmVyLg0KPiArCSAqDQo+ICsJ
ICogQVVUSF9OVUxMIGhhcyBhIHNwZWNpYWwgbWVhbmluZyB3aGVuIGl0J3MgaW4gdGhlIHNlcnZl
ciBsaXN0IC0gaXQNCj4gKwkgKiBtZWFucyB0aGF0IHRoZSBzZXJ2ZXIgd2lsbCBpZ25vcmUgdGhl
IHJwYyBjcmVkcywgc28gYW55IGZsYXZvcg0KPiArCSAqIGNhbiBiZSB1c2VkLg0KPiArCSAqLw0K
PiArCWlmIChhcmdzLT5hdXRoX2ZsYXZvcnNbMF0gIT0gUlBDX0FVVEhfTUFYRkxBVk9SKSB7DQo+
ICsJCWZvciAoaSA9IDA7IGkgPCBjb3VudDsgaSsrKSB7DQo+ICsJCQlpZiAoYXJncy0+YXV0aF9m
bGF2b3JzWzBdID09IHJlcXVlc3QtPmF1dGhfZmxhdnNbaV0gfHwNCj4gKwkJCSAgICByZXF1ZXN0
LT5hdXRoX2ZsYXZzW2ldID09IFJQQ19BVVRIX05VTEwpDQo+ICsJCQkJZ290byBvdXQ7DQo+ICsJ
CX0NCj4gKwkJZGZwcmludGsoTU9VTlQsICJORlM6IGF1dGggZmxhdm9yICVkIG5vdCBzdXBwb3J0
ZWQgYnkgc2VydmVyXG4iLA0KPiArCQkJYXJncy0+YXV0aF9mbGF2b3JzWzBdKTsNCj4gKwkJZ290
byBvdXRfZXJyOw0KPiArCX0NCj4gKw0KPiArCS8qDQo+ICAJICogUkZDIDI2MjMsIHNlY3Rpb24g
Mi43IHN1Z2dlc3RzIHdlIFNIT1VMRCBwcmVmZXIgdGhlDQo+ICAJICogZmxhdm9yIGxpc3RlZCBm
aXJzdC4gIEhvd2V2ZXIsIHNvbWUgc2VydmVycyBsaXN0DQo+ICAJICogQVVUSF9OVUxMIGZpcnN0
LiAgQXZvaWQgZXZlciBjaG9vc2luZyBBVVRIX05VTEwuDQo+IEBAIC0xNjUzLDEyICsxNjcxLDI5
IEBAIHN0YXRpYyB2b2lkIG5mc19zZWxlY3RfZmxhdm9yKHN0cnVjdCBuZnNfcGFyc2VkX21vdW50
X2RhdGEgKmFyZ3MsDQo+ICAJCX0NCj4gIAl9DQo+ICANCj4gKwkvKg0KPiArCSAqIEFzIGEgbGFz
dCBjaGFuY2UsIHNlZSBpZiB0aGUgc2VydmVyIGxpc3QgY29udGFpbnMgQVVUSF9OVUxMIC0NCj4g
KwkgKiBpZiBpdCBkb2VzLCB1c2UgdGhlIGRlZmF1bHQgZmxhdm9yLg0KPiArCSAqLw0KPiArCWZv
ciAoaSA9IDA7IGkgPCBjb3VudDsgaSsrKSB7DQo+ICsJCWlmIChyZXF1ZXN0LT5hdXRoX2ZsYXZz
W2ldID09IFJQQ19BVVRIX05VTEwpDQo+ICsJCQlnb3RvIG91dF9kZWZhdWx0Ow0KPiArCX0NCj4g
Kw0KPiArCWRmcHJpbnRrKE1PVU5ULCAiTkZTOiBubyBhdXRoIGZsYXZvcnMgaW4gY29tbW9uIHdp
dGggc2VydmVyXG4iKTsNCj4gKwlnb3RvIG91dF9lcnI7DQo+ICsNCj4gIG91dF9kZWZhdWx0Og0K
PiAtCWZsYXZvciA9IFJQQ19BVVRIX1VOSVg7DQo+ICsJLyogdXNlIGRlZmF1bHQgaWYgZmxhdm9y
IG5vdCBhbHJlYWR5IHNldCAqLw0KPiArCWZsYXZvciA9IChhcmdzLT5hdXRoX2ZsYXZvcnNbMF0g
PT0gUlBDX0FVVEhfTUFYRkxBVk9SKSA/DQo+ICsJCVJQQ19BVVRIX1VOSVggOiBhcmdzLT5hdXRo
X2ZsYXZvcnNbMF07DQo+ICBvdXRfc2V0Og0KPiAgCWFyZ3MtPmF1dGhfZmxhdm9yc1swXSA9IGZs
YXZvcjsNCj4gIG91dDoNCj4gIAlkZnByaW50ayhNT1VOVCwgIk5GUzogdXNpbmcgYXV0aCBmbGF2
b3IgJWRcbiIsIGFyZ3MtPmF1dGhfZmxhdm9yc1swXSk7DQo+ICsJcmV0dXJuIDA7DQo+ICtvdXRf
ZXJyOg0KPiArCXJldHVybiAtRUFDQ0VTOw0KPiAgfQ0KPiAgDQo+ICAvKg0KPiBAQCAtMTcyMSw4
ICsxNzU2LDcgQEAgc3RhdGljIGludCBuZnNfcmVxdWVzdF9tb3VudChzdHJ1Y3QgbmZzX3BhcnNl
ZF9tb3VudF9kYXRhICphcmdzLA0KPiAgCQlyZXR1cm4gc3RhdHVzOw0KPiAgCX0NCj4gIA0KPiAt
CW5mc19zZWxlY3RfZmxhdm9yKGFyZ3MsICZyZXF1ZXN0KTsNCj4gLQlyZXR1cm4gMDsNCj4gKwly
ZXR1cm4gbmZzX3NlbGVjdF9mbGF2b3IoYXJncywgJnJlcXVlc3QpOw0KPiAgfQ0KPiAgDQo+ICBz
dHJ1Y3QgZGVudHJ5ICpuZnNfdHJ5X21vdW50KGludCBmbGFncywgY29uc3QgY2hhciAqZGV2X25h
bWUsDQoNClRoYW5rcyEgQXBwbGllZC4uLg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5G
UyBjbGllbnQgbWFpbnRhaW5lcg0KDQpOZXRBcHANClRyb25kLk15a2xlYnVzdEBuZXRhcHAuY29t
DQp3d3cubmV0YXBwLmNvbQ0K
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index eb494f6..53c2657 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1610,16 +1610,15 @@  out_security_failure:
 /*
  * Select a security flavor for this mount.  The selected flavor
  * is planted in args->auth_flavors[0].
+ *
+ * Returns 0 on success, -EACCES on failure.
  */
-static void nfs_select_flavor(struct nfs_parsed_mount_data *args,
+static int nfs_select_flavor(struct nfs_parsed_mount_data *args,
 			      struct nfs_mount_request *request)
 {
 	unsigned int i, count = *(request->auth_flav_len);
 	rpc_authflavor_t flavor;
 
-	if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR)
-		goto out;
-
 	/*
 	 * The NFSv2 MNT operation does not return a flavor list.
 	 */
@@ -1634,6 +1633,25 @@  static void nfs_select_flavor(struct nfs_parsed_mount_data *args,
 		goto out_default;
 
 	/*
+	 * If the sec= mount option is used, the specified flavor or AUTH_NULL
+	 * must be in the list returned by the server.
+	 *
+	 * AUTH_NULL has a special meaning when it's in the server list - it
+	 * means that the server will ignore the rpc creds, so any flavor
+	 * can be used.
+	 */
+	if (args->auth_flavors[0] != RPC_AUTH_MAXFLAVOR) {
+		for (i = 0; i < count; i++) {
+			if (args->auth_flavors[0] == request->auth_flavs[i] ||
+			    request->auth_flavs[i] == RPC_AUTH_NULL)
+				goto out;
+		}
+		dfprintk(MOUNT, "NFS: auth flavor %d not supported by server\n",
+			args->auth_flavors[0]);
+		goto out_err;
+	}
+
+	/*
 	 * RFC 2623, section 2.7 suggests we SHOULD prefer the
 	 * flavor listed first.  However, some servers list
 	 * AUTH_NULL first.  Avoid ever choosing AUTH_NULL.
@@ -1653,12 +1671,29 @@  static void nfs_select_flavor(struct nfs_parsed_mount_data *args,
 		}
 	}
 
+	/*
+	 * As a last chance, see if the server list contains AUTH_NULL -
+	 * if it does, use the default flavor.
+	 */
+	for (i = 0; i < count; i++) {
+		if (request->auth_flavs[i] == RPC_AUTH_NULL)
+			goto out_default;
+	}
+
+	dfprintk(MOUNT, "NFS: no auth flavors in common with server\n");
+	goto out_err;
+
 out_default:
-	flavor = RPC_AUTH_UNIX;
+	/* use default if flavor not already set */
+	flavor = (args->auth_flavors[0] == RPC_AUTH_MAXFLAVOR) ?
+		RPC_AUTH_UNIX : args->auth_flavors[0];
 out_set:
 	args->auth_flavors[0] = flavor;
 out:
 	dfprintk(MOUNT, "NFS: using auth flavor %d\n", args->auth_flavors[0]);
+	return 0;
+out_err:
+	return -EACCES;
 }
 
 /*
@@ -1721,8 +1756,7 @@  static int nfs_request_mount(struct nfs_parsed_mount_data *args,
 		return status;
 	}
 
-	nfs_select_flavor(args, &request);
-	return 0;
+	return nfs_select_flavor(args, &request);
 }
 
 struct dentry *nfs_try_mount(int flags, const char *dev_name,