summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChuck Lever <chuck.lever@oracle.com>2013-03-23 08:25:39 -0400
committerSteve Dickson <steved@redhat.com>2013-03-25 10:09:11 -0400
commit11ba3b1e01b67b7d19f26fba94fabdb60878e809 (patch)
treed8936b293ec99858aee1248a22ee0ee4e45ae0bb
parentfb6e382f9eae38883cfed151fe5e80c021c8b961 (diff)
downloadnfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.zip
nfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.tar.gz
nfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.tar.xz
Add a default flavor to an export's e_secinfo list
The list of security flavors that mountd allows for the NFSv4 pseudo-fs is constructed from the union of flavors of all current exports. exports(5) documents that the default security flavor for an export, if "sec=" is not specified, is "sys". Suppose /etc/exports contains: /a *(rw) /b *(rw,sec=krb5:krb5i:krb5p) The resulting security flavor list for the pseudo-fs is missing "sec=sys". /proc/net/rpc/nfsd.export/content contains: /a *(rw,root_squash,sync,wdelay,no_subtree_check, uuid=095c95bc:08e4407a:91ab8601:05fe0bbf) /b *(rw,root_squash,sync,wdelay,no_subtree_check, uuid=2a6fe811:0cf044a7:8fc75ebe:65180068, sec=390003:390004:390005) / *(ro,root_squash,sync,no_wdelay,v4root,fsid=0, uuid=2a6fe811:0cf044a7:8fc75ebe:65180068, sec=390003:390004:390005) The root entry is not correct, as there does exist an export whose unspecified default security flavor is "sys". The security settings on the root cause sec=sys mount attempts to be incorrectly rejected. The reason is that when the line in /etc/exports for "/a" is parsed, the e_secinfo list for that exportent is left empty. Thus the union of e_secinfo lists created by set_pseudofs_security() is "krb5:krb5i:krb5p". I fixed this by ensuring that if no "sec=" option is specified for an export, its e_secinfo list gets at least an entry for AUTH_UNIX. [ Yes, we could make the security flavors allowed for the pseudo-fs a fixed list of all flavors the server supports. That becomes complicated by the special meaning of AUTH_NULL, and we still have to check /etc/exports for whether Kerberos flavors should be listed. I opted for a simple approach for now. ] Acked-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Steve Dickson <steved@redhat.com>
-rw-r--r--support/nfs/exports.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index 84a2b08..6c08a2b 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -643,6 +643,8 @@ bad_option:
cp++;
}
+ if (ep->e_secinfo[0].flav == NULL)
+ secinfo_addflavor(find_flavor("sys"), ep);
fix_pseudoflavor_flags(ep);
ep->e_squids = squids;
ep->e_sqgids = sqgids;