diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2013-03-23 08:25:39 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2013-03-25 10:09:11 -0400 |
| commit | 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (patch) | |
| tree | d8936b293ec99858aee1248a22ee0ee4e45ae0bb | |
| parent | fb6e382f9eae38883cfed151fe5e80c021c8b961 (diff) | |
| download | nfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.tar.gz nfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.tar.xz nfs-utils-11ba3b1e01b67b7d19f26fba94fabdb60878e809.zip | |
Add a default flavor to an export's e_secinfo list
The list of security flavors that mountd allows for the NFSv4
pseudo-fs is constructed from the union of flavors of all current
exports.
exports(5) documents that the default security flavor for an
export, if "sec=" is not specified, is "sys". Suppose
/etc/exports contains:
/a *(rw)
/b *(rw,sec=krb5:krb5i:krb5p)
The resulting security flavor list for the pseudo-fs is missing
"sec=sys". /proc/net/rpc/nfsd.export/content contains:
/a *(rw,root_squash,sync,wdelay,no_subtree_check,
uuid=095c95bc:08e4407a:91ab8601:05fe0bbf)
/b *(rw,root_squash,sync,wdelay,no_subtree_check,
uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
sec=390003:390004:390005)
/ *(ro,root_squash,sync,no_wdelay,v4root,fsid=0,
uuid=2a6fe811:0cf044a7:8fc75ebe:65180068,
sec=390003:390004:390005)
The root entry is not correct, as there does exist an export whose
unspecified default security flavor is "sys". The security settings
on the root cause sec=sys mount attempts to be incorrectly rejected.
The reason is that when the line in /etc/exports for "/a" is parsed,
the e_secinfo list for that exportent is left empty. Thus the union
of e_secinfo lists created by set_pseudofs_security() is
"krb5:krb5i:krb5p".
I fixed this by ensuring that if no "sec=" option is specified for
an export, its e_secinfo list gets at least an entry for AUTH_UNIX.
[ Yes, we could make the security flavors allowed for the pseudo-fs
a fixed list of all flavors the server supports. That becomes
complicated by the special meaning of AUTH_NULL, and we still have
to check /etc/exports for whether Kerberos flavors should be listed.
I opted for a simple approach for now. ]
Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
| -rw-r--r-- | support/nfs/exports.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/support/nfs/exports.c b/support/nfs/exports.c index 84a2b08..6c08a2b 100644 --- a/support/nfs/exports.c +++ b/support/nfs/exports.c @@ -643,6 +643,8 @@ bad_option: cp++; } + if (ep->e_secinfo[0].flav == NULL) + secinfo_addflavor(find_flavor("sys"), ep); fix_pseudoflavor_flags(ep); ep->e_squids = squids; ep->e_sqgids = sqgids; |