1. 15 Dec, 2009 3 commits
    • J. Bruce Fields's avatar
      nfsd4: don't continue "under" mounts in V4ROOT case · 3b6cee7b
      J. Bruce Fields authored
      If /A/mount/point/ has filesystem "B" mounted on top of it, and if "A"
      is exported, but not "B", then the nfs server has always returned to the
      client a filehandle for the mountpoint, instead of for the root of "B",
      allowing the client to see the subtree of "A" that would otherwise be
      hidden by B.
      
      Disable this behavior in the case of V4ROOT exports; we implement the
      path restrictions of V4ROOT exports by treating *every* directory as if
      it were a mountpoint, and allowing traversal *only* if the new directory
      is exported.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      3b6cee7b
    • Steve Dickson's avatar
      nfsd: introduce export flag for v4 pseudoroot · eb4c86c6
      Steve Dickson authored
      NFSv4 differs from v2 and v3 in that it presents a single unified
      filesystem tree, whereas v2 and v3 exported multiple filesystem (whose
      roots could be found using a separate mount protocol).
      
      Our original NFSv4 server implementation asked the administrator to
      designate a single filesystem as the NFSv4 root, then to mount
      filesystems they wished to export underneath.  (Often using bind mounts
      of already-existing filesystems.)
      
      This was conceptually simple, and allowed easy implementation, but
      created a serious obstacle to upgrading between v2/v3: since the paths
      to v4 filesystems were different, administrators would have to adjust
      all the paths in client-side mount commands when switching to v4.
      
      Various workarounds are possible.  For example, the administrator could
      export "/" and designate it as the v4 root.  However, the security risks
      of that approach are obvious, and in any case we shouldn't be requiring
      the administrator to take extra steps to fix this problem; instead, the
      server should present consistent paths across different versions by
      default.
      
      These patches take a modified version of that approach: we provide a new
      export option which exports only a subset of a filesystem.  With this
      flag, it becomes safe for mountd to export "/" by default, with no need
      for additional configuration.
      
      We begin just by defining the new flag.
      Signed-off-by: default avatarSteve Dickson <steved@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      eb4c86c6
    • J. Bruce Fields's avatar
      nfsd: let "insecure" flag vary by pseudoflavor · 12045a6e
      J. Bruce Fields authored
      This was an oversight; it should be among the export flags that can be
      allowed to vary by pseudoflavor.  This allows an administrator to (for
      example) allow auth_sys mounts only from low ports, but allow auth_krb5
      mounts to use any port.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      12045a6e
  2. 14 Dec, 2009 14 commits
  3. 25 Nov, 2009 1 commit
    • J. Bruce Fields's avatar
      nfsd: simplify fh_verify access checks · 864f0f61
      J. Bruce Fields authored
      All nfsd security depends on the security checks in fh_verify, and
      especially on nfsd_setuser().
      
      It therefore bothers me that the nfsd_setuser call may be made from
      three different places, depending on whether the filehandle has already
      been mapped to a dentry, and on whether subtreechecking is in force.
      
      Instead, make an unconditional call in fh_verify(), so it's trivial to
      verify that the call always occurs.
      
      That leaves us with a redundant nfsd_setuser() call in the subtreecheck
      case--it needs the correct user set earlier in order to check execute
      permissions on the path to this filehandle--but I'm willing to accept
      that minor inefficiency in the subtreecheck case in return for more
      straightforward permission checking.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      864f0f61
  4. 23 Nov, 2009 2 commits
  5. 19 Nov, 2009 9 commits
  6. 18 Nov, 2009 11 commits