diff mbox series

[2/2] mountd: always root squash on the pseudofs

Message ID 1606949804-31417-2-git-send-email-bfields@fieldses.org (mailing list archive)
State New, archived
Headers show
Series [1/2] mountd: allow high ports on all pseudofs exports | expand

Commit Message

J. Bruce Fields Dec. 2, 2020, 10:56 p.m. UTC
From: "J. Bruce Fields" <bfields@redhat.com>

As with security flavors and "secure" ports, we tried to code this so
that pseudofs directories would inherit root squashing from their
children, but it doesn't really work as coded and I'm not sure it's
useful.

Just root squash always.  If it turns out somebody's exporting
directories that are only readable by root, I guess we can try to do
something else here, but frankly that sounds like a pretty weird
configuration.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Trond Myklebust Dec. 3, 2020, 12:54 a.m. UTC | #1
On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> As with security flavors and "secure" ports, we tried to code this so
> that pseudofs directories would inherit root squashing from their
> children, but it doesn't really work as coded and I'm not sure it's
> useful.
> 
> Just root squash always.  If it turns out somebody's exporting
> directories that are only readable by root, I guess we can try to do
> something else here, but frankly that sounds like a pretty weird
> configuration.
> 
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> ---
>  utils/mountd/v4root.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> index 2ac4e87898c0..36543401f296 100644
> --- a/utils/mountd/v4root.c
> +++ b/utils/mountd/v4root.c
> @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int
> flags)
>         struct flav_info *flav;
>         int i;
>  
> -       if ((flags & NFSEXP_ROOTSQUASH) == 0)
> -               pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
>         for (flav = flav_map; flav < flav_map + flav_map_size;
> flav++) {
>                 struct sec_entry *new;
>  

Hmm... What is the harm in allowing root to be unsquashed here? Isn't
this really all about respecting lookup permissions, or could a user
actually modify something in the pseudofs? If the latter, then that
sounds like a bug (the pseudofs should always be read-only).

The consequence of not being able to look up a directory in the
pseudofs is that the NFSv4 client will be completely unable to mount
that subtree, so squashing root could make a major difference.
Bruce Fields Dec. 3, 2020, 1:05 a.m. UTC | #2
On Thu, Dec 03, 2020 at 12:54:53AM +0000, Trond Myklebust wrote:
> On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote:
> > From: "J. Bruce Fields" <bfields@redhat.com>
> > 
> > As with security flavors and "secure" ports, we tried to code this so
> > that pseudofs directories would inherit root squashing from their
> > children, but it doesn't really work as coded and I'm not sure it's
> > useful.
> > 
> > Just root squash always.  If it turns out somebody's exporting
> > directories that are only readable by root, I guess we can try to do
> > something else here, but frankly that sounds like a pretty weird
> > configuration.
> > 
> > Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> > ---
> >  utils/mountd/v4root.c | 2 --
> >  1 file changed, 2 deletions(-)
> > 
> > diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> > index 2ac4e87898c0..36543401f296 100644
> > --- a/utils/mountd/v4root.c
> > +++ b/utils/mountd/v4root.c
> > @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int
> > flags)
> >         struct flav_info *flav;
> >         int i;
> >  
> > -       if ((flags & NFSEXP_ROOTSQUASH) == 0)
> > -               pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
> >         for (flav = flav_map; flav < flav_map + flav_map_size;
> > flav++) {
> >                 struct sec_entry *new;
> >  
> 
> Hmm... What is the harm in allowing root to be unsquashed here? Isn't
> this really all about respecting lookup permissions, or could a user
> actually modify something in the pseudofs? If the latter, then that
> sounds like a bug (the pseudofs should always be read-only).

Yeah, it should only be read-only.

> The consequence of not being able to look up a directory in the
> pseudofs is that the NFSv4 client will be completely unable to mount
> that subtree, so squashing root could make a major difference.

Fair enough, I'll resend.

--b.
diff mbox series

Patch

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 2ac4e87898c0..36543401f296 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -60,8 +60,6 @@  set_pseudofs_security(struct exportent *pseudo, int flags)
 	struct flav_info *flav;
 	int i;
 
-	if ((flags & NFSEXP_ROOTSQUASH) == 0)
-		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
 		struct sec_entry *new;