Commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (Add a default flavor
to an export's e_secinfo list) breaks the ordering of security flavours
in the secinfo list, by reordering 'sec=sys' to always be the first
secinfo flavour if one fails to set a default 'sec' setting.
An export of the form:
/export -sync,no_subtree_check,mp \
192.168.1.0/24(sec=krb5p:krb5i:krb5,rw,sec=sys,ro)
ends up getting translated by exportfs into the following entry in
/var/lib/nfs/etab:
/export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
secure,root_squash,no_all_squash,\
no_subtree_check,secure_locks,acl,\
mountpoint,anonuid=65534,anongid=65534,\
sec=sys,ro,root_squash,no_all_squash,\
sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash)
Note how the 'sec=sys' is now listed first...
The fix is to defer adding the default flavour until the call to
secinfo_show, when we can see if it is even needed at all.
With the patch, the above export is now correctly entered in
/var/lib/nfs/etab as:
/export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
secure,root_squash,no_all_squash,\
no_subtree_check,secure_locks,acl,\
mountpoint,anonuid=65534,anongid=65534,\
sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash,\
sec=sys,ro,root_squash,no_all_squash)
Signed-off-by: Trond Myklebust <[email protected]>
Cc: Chuck Lever <[email protected]>
---
support/nfs/exports.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/support/nfs/exports.c b/support/nfs/exports.c
index dea040f..3e99de6 100644
--- a/support/nfs/exports.c
+++ b/support/nfs/exports.c
@@ -63,6 +63,7 @@ static int parsesquash(char *list, int **idp, int *lenp, char **ep);
static int parsenum(char **cpp);
static void freesquash(void);
static void syntaxerr(char *msg);
+static struct flav_info *find_flavor(char *name);
void
setexportent(char *fname, char *type)
@@ -201,6 +202,8 @@ void secinfo_show(FILE *fp, struct exportent *ep)
struct sec_entry *p1, *p2;
int flags;
+ if (ep->e_secinfo[0].flav == NULL)
+ secinfo_addflavor(find_flavor("sys"), ep);
for (p1=ep->e_secinfo; p1->flav; p1=p2) {
fprintf(fp, ",sec=%s", p1->flav->flavour);
@@ -643,8 +646,6 @@ bad_option:
cp++;
}
- if (ep->e_secinfo[0].flav == NULL)
- secinfo_addflavor(find_flavor("sys"), ep);
fix_pseudoflavor_flags(ep);
ep->e_squids = squids;
ep->e_sqgids = sqgids;
--
1.8.3.1
On Sep 8, 2013, at 12:58 PM, Trond Myklebust <[email protected]> wrote:
> Commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (Add a default flavor
> to an export's e_secinfo list) breaks the ordering of security flavours
> in the secinfo list, by reordering 'sec=sys' to always be the first
> secinfo flavour if one fails to set a default 'sec' setting.
Setting a default security flavor should occur only if no sec= option is specified. In the below case, clearly there is a sec= setting. Why was the default security flavor logic triggered anyway?
> An export of the form:
>
> /export -sync,no_subtree_check,mp \
> 192.168.1.0/24(sec=krb5p:krb5i:krb5,rw,sec=sys,ro)
>
> ends up getting translated by exportfs into the following entry in
> /var/lib/nfs/etab:
>
> /export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
> secure,root_squash,no_all_squash,\
> no_subtree_check,secure_locks,acl,\
> mountpoint,anonuid=65534,anongid=65534,\
> sec=sys,ro,root_squash,no_all_squash,\
> sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash)
>
> Note how the 'sec=sys' is now listed first?
> The fix is to defer adding the default flavour until the call to
> secinfo_show, when we can see if it is even needed at all.
> With the patch, the above export is now correctly entered in
> /var/lib/nfs/etab as:
>
> /export 192.168.1.0/24(ro,sync,wdelay,hide,nocrossmnt,\
> secure,root_squash,no_all_squash,\
> no_subtree_check,secure_locks,acl,\
> mountpoint,anonuid=65534,anongid=65534,\
> sec=krb5p:krb5i:krb5,rw,root_squash,no_all_squash,\
> sec=sys,ro,root_squash,no_all_squash)
>
> Signed-off-by: Trond Myklebust <[email protected]>
> Cc: Chuck Lever <[email protected]>
The key is whether the derived pseudo-root security flavor setting is still correct after your fix. Did you confirm the test case in 11ba3b1's description is still addressed?
> ---
> support/nfs/exports.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index dea040f..3e99de6 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -63,6 +63,7 @@ static int parsesquash(char *list, int **idp, int *lenp, char **ep);
> static int parsenum(char **cpp);
> static void freesquash(void);
> static void syntaxerr(char *msg);
> +static struct flav_info *find_flavor(char *name);
>
> void
> setexportent(char *fname, char *type)
> @@ -201,6 +202,8 @@ void secinfo_show(FILE *fp, struct exportent *ep)
> struct sec_entry *p1, *p2;
> int flags;
>
> + if (ep->e_secinfo[0].flav == NULL)
> + secinfo_addflavor(find_flavor("sys"), ep);
> for (p1=ep->e_secinfo; p1->flav; p1=p2) {
>
> fprintf(fp, ",sec=%s", p1->flav->flavour);
> @@ -643,8 +646,6 @@ bad_option:
> cp++;
> }
>
> - if (ep->e_secinfo[0].flav == NULL)
> - secinfo_addflavor(find_flavor("sys"), ep);
> fix_pseudoflavor_flags(ep);
> ep->e_squids = squids;
> ep->e_sqgids = sqgids;
> --
> 1.8.3.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
T24gU3VuLCAyMDEzLTA5LTA4IGF0IDE1OjU4IC0wNDAwLCBDaHVjayBMZXZlciB3cm90ZToNCj4g
T24gU2VwIDgsIDIwMTMsIGF0IDEyOjU4IFBNLCBUcm9uZCBNeWtsZWJ1c3QgPFRyb25kLk15a2xl
YnVzdEBuZXRhcHAuY29tPiB3cm90ZToNCj4gDQo+ID4gQ29tbWl0IDExYmEzYjFlMDFiNjdiN2Qx
OWYyNmZiYTk0ZmFiZGI2MDg3OGU4MDkgKEFkZCBhIGRlZmF1bHQgZmxhdm9yDQo+ID4gdG8gYW4g
ZXhwb3J0J3MgZV9zZWNpbmZvIGxpc3QpIGJyZWFrcyB0aGUgb3JkZXJpbmcgb2Ygc2VjdXJpdHkg
Zmxhdm91cnMNCj4gPiBpbiB0aGUgc2VjaW5mbyBsaXN0LCBieSByZW9yZGVyaW5nICdzZWM9c3lz
JyB0byBhbHdheXMgYmUgdGhlIGZpcnN0DQo+ID4gc2VjaW5mbyBmbGF2b3VyIGlmIG9uZSBmYWls
cyB0byBzZXQgYSBkZWZhdWx0ICdzZWMnIHNldHRpbmcuDQo+IA0KPiBTZXR0aW5nIGEgZGVmYXVs
dCBzZWN1cml0eSBmbGF2b3Igc2hvdWxkIG9jY3VyIG9ubHkgaWYgbm8gc2VjPSBvcHRpb24gaXMg
c3BlY2lmaWVkLiAgSW4gdGhlIGJlbG93IGNhc2UsIGNsZWFybHkgdGhlcmUgaXMgYSBzZWM9IHNl
dHRpbmcuICBXaHkgd2FzIHRoZSBkZWZhdWx0IHNlY3VyaXR5IGZsYXZvciBsb2dpYyB0cmlnZ2Vy
ZWQgYW55d2F5Pw0KDQoNCnBhcnNlb3B0cygpIGlzIGNhbGxlZCBtdWx0aXBsZSB0aW1lcyBpbiwg
Zm9yIGluc3RhbmNlLCBnZXRleHBvcnRlbnQoKS4NClRoZSBmaXJzdCB0aW1lIGlzIGZvciB0aGUg
ZGVmYXVsdCBvcHRpb25zLiBUaGVuIGl0IGdldHMgY2FsbGVkIGZvciB0aGUNCmhvc3RuYW1lKHMp
Lg0KDQpJT1c6IGl0IGlzIHRvbyBlYXJseSB0byBkbyB0aGF0IGtpbmQgb2YgY2hlY2sgaW4gcGFy
c2VvcHRzLiBXZSBkb24ndA0KZXhwZWN0IHRoZSBzZWN1cml0eSBmbGF2b3VycyB0byBoYXZlIGJl
ZW4gcmVzb2x2ZWQgdW50aWwgdGhlIGVudGlyZSBsaW5lDQpoYXMgYmVlbiBwYXJzZWQuDQoNCj4g
PiBBbiBleHBvcnQgb2YgdGhlIGZvcm06DQo+ID4gDQo+ID4gL2V4cG9ydCAtc3luYyxub19zdWJ0
cmVlX2NoZWNrLG1wIFwNCj4gPiAgICAgICAgICAgMTkyLjE2OC4xLjAvMjQoc2VjPWtyYjVwOmty
YjVpOmtyYjUscncsc2VjPXN5cyxybykNCj4gPiANCj4gPiBlbmRzIHVwIGdldHRpbmcgdHJhbnNs
YXRlZCBieSBleHBvcnRmcyBpbnRvIHRoZSBmb2xsb3dpbmcgZW50cnkgaW4NCj4gPiAvdmFyL2xp
Yi9uZnMvZXRhYjoNCj4gPiANCj4gPiAvZXhwb3J0CTE5Mi4xNjguMS4wLzI0KHJvLHN5bmMsd2Rl
bGF5LGhpZGUsbm9jcm9zc21udCxcDQo+ID4gICAgICAgICAgICAgICAgICAgICAgIHNlY3VyZSxy
b290X3NxdWFzaCxub19hbGxfc3F1YXNoLFwNCj4gPiAJCSAgICAgICBub19zdWJ0cmVlX2NoZWNr
LHNlY3VyZV9sb2NrcyxhY2wsXA0KPiA+IAkJICAgICAgIG1vdW50cG9pbnQsYW5vbnVpZD02NTUz
NCxhbm9uZ2lkPTY1NTM0LFwNCj4gPiAJCSAgICAgICBzZWM9c3lzLHJvLHJvb3Rfc3F1YXNoLG5v
X2FsbF9zcXVhc2gsXA0KPiA+IAkJICAgICAgIHNlYz1rcmI1cDprcmI1aTprcmI1LHJ3LHJvb3Rf
c3F1YXNoLG5vX2FsbF9zcXVhc2gpDQo+ID4gDQo+ID4gTm90ZSBob3cgdGhlICdzZWM9c3lzJyBp
cyBub3cgbGlzdGVkIGZpcnN04oCmDQo+IA0KPiA+IFRoZSBmaXggaXMgdG8gZGVmZXIgYWRkaW5n
IHRoZSBkZWZhdWx0IGZsYXZvdXIgdW50aWwgdGhlIGNhbGwgdG8NCj4gPiBzZWNpbmZvX3Nob3cs
IHdoZW4gd2UgY2FuIHNlZSBpZiBpdCBpcyBldmVuIG5lZWRlZCBhdCBhbGwuDQo+ID4gV2l0aCB0
aGUgcGF0Y2gsIHRoZSBhYm92ZSBleHBvcnQgaXMgbm93IGNvcnJlY3RseSBlbnRlcmVkIGluDQo+
ID4gL3Zhci9saWIvbmZzL2V0YWIgYXM6DQo+ID4gDQo+ID4gL2V4cG9ydAkxOTIuMTY4LjEuMC8y
NChybyxzeW5jLHdkZWxheSxoaWRlLG5vY3Jvc3NtbnQsXA0KPiA+IAkJCXNlY3VyZSxyb290X3Nx
dWFzaCxub19hbGxfc3F1YXNoLFwNCj4gPiAJCQlub19zdWJ0cmVlX2NoZWNrLHNlY3VyZV9sb2Nr
cyxhY2wsXA0KPiA+IAkJCW1vdW50cG9pbnQsYW5vbnVpZD02NTUzNCxhbm9uZ2lkPTY1NTM0LFwN
Cj4gPiAJCQlzZWM9a3JiNXA6a3JiNWk6a3JiNSxydyxyb290X3NxdWFzaCxub19hbGxfc3F1YXNo
LFwNCj4gPiAJCQlzZWM9c3lzLHJvLHJvb3Rfc3F1YXNoLG5vX2FsbF9zcXVhc2gpDQo+ID4gDQo+
ID4gU2lnbmVkLW9mZi1ieTogVHJvbmQgTXlrbGVidXN0IDxUcm9uZC5NeWtsZWJ1c3RAbmV0YXBw
LmNvbT4NCj4gPiBDYzogQ2h1Y2sgTGV2ZXIgPGNodWNrLmxldmVyQG9yYWNsZS5jb20+DQo+IA0K
PiBUaGUga2V5IGlzIHdoZXRoZXIgdGhlIGRlcml2ZWQgcHNldWRvLXJvb3Qgc2VjdXJpdHkgZmxh
dm9yIHNldHRpbmcgaXMgc3RpbGwgY29ycmVjdCBhZnRlciB5b3VyIGZpeC4gIERpZCB5b3UgY29u
ZmlybSB0aGUgdGVzdCBjYXNlIGluIDExYmEzYjEncyBkZXNjcmlwdGlvbiBpcyBzdGlsbCBhZGRy
ZXNzZWQ/DQoNClllcywgeW91ciB0ZXN0IGNhc2UgcGFzc2VzIHdpdGggZmx5aW5nIGNvbG91cnMu
DQoNCltyb290QGRyYWd2b2xsIH5dIyAuL2V4cG9ydGZzIC12DQovbW50ICAgICAgICAgIAk8d29y
bGQ+KHJvLHdkZWxheSxyb290X3NxdWFzaCxub19zdWJ0cmVlX2NoZWNrLG1vdW50cG9pbnQsc2Vj
PXN5cyxybyxyb290X3NxdWFzaCxub19hbGxfc3F1YXNoKQ0KL2V4cG9ydCAgICAgICAJPHdvcmxk
Pihybyx3ZGVsYXkscm9vdF9zcXVhc2gsbm9fc3VidHJlZV9jaGVjayxtb3VudHBvaW50LHNlYz1r
cmI1aTprcmI1LHJ3LHJvb3Rfc3F1YXNoLG5vX2FsbF9zcXVhc2gsc2VjPXN5cyxybyxyb290X3Nx
dWFzaCxub19hbGxfc3F1YXNoKQ0KW3Jvb3RAZHJhZ3ZvbGwgfl0jIGNhdCAvcHJvYy9uZXQvcnBj
L25mc2QuZXhwb3J0L2NvbnRlbnQNCiNwYXRoIGRvbWFpbihmbGFncykNCi8JKihybyxyb290X3Nx
dWFzaCxzeW5jLG5vX3dkZWxheSxub19zdWJ0cmVlX2NoZWNrLHY0cm9vdCxmc2lkPTAsdXVpZD0w
MDAwZmQwMDowMDAwMDAwMDowMDAwMDAwMDowMDAwMDAwMCxzZWM9MTozOTAwMDQ6MzkwMDAzKQ0K
DQphbmQNCg0KW3Jvb3RAZHJhZ3ZvbGwgfl0jIC4vZXhwb3J0ZnMgLXYNCi9leHBvcnQgICAgICAg
CTx3b3JsZD4ocm8sd2RlbGF5LHJvb3Rfc3F1YXNoLG5vX3N1YnRyZWVfY2hlY2ssbW91bnRwb2lu
dCxzZWM9a3JiNWk6a3JiNSxydyxyb290X3NxdWFzaCxub19hbGxfc3F1YXNoLHNlYz1zeXMscm8s
cm9vdF9zcXVhc2gsbm9fYWxsX3NxdWFzaCkNCi9tbnQgICAgICAgICAgCTx3b3JsZD4ocm8sd2Rl
bGF5LHJvb3Rfc3F1YXNoLG5vX3N1YnRyZWVfY2hlY2ssbW91bnRwb2ludCxzZWM9c3lzLHJvLHJv
b3Rfc3F1YXNoLG5vX2FsbF9zcXVhc2gpDQpbcm9vdEBkcmFndm9sbCB+XSMgY2F0IC9wcm9jL25l
dC9ycGMvbmZzZC5leHBvcnQvY29udGVudA0KI3BhdGggZG9tYWluKGZsYWdzKQ0KLwkqKHJvLHJv
b3Rfc3F1YXNoLHN5bmMsbm9fd2RlbGF5LG5vX3N1YnRyZWVfY2hlY2ssdjRyb290LGZzaWQ9MCx1
dWlkPTAwMDBmZDAwOjAwMDAwMDAwOjAwMDAwMDAwOjAwMDAwMDAwLHNlYz0zOTAwMDQ6MzkwMDAz
OjEpDQoNCg0KDQoNClVuZm9ydHVuYXRlbHksIHRoZSBnZW5lcmFsIGNhc2UgaXMgc3RpbGwgYnJv
a2VuOg0KDQpbcm9vdEBkcmFndm9sbCB+XSMgLi9leHBvcnRmcyAtdg0KL2V4cG9ydCAgICAgICAJ
MTkyLjE2OC4xLjAvMjQocm8sd2RlbGF5LHJvb3Rfc3F1YXNoLG5vX3N1YnRyZWVfY2hlY2ssbW91
bnRwb2ludCxzZWM9a3JiNWk6a3JiNSxydyxyb290X3NxdWFzaCxub19hbGxfc3F1YXNoLHNlYz1z
eXMscm8scm9vdF9zcXVhc2gsbm9fYWxsX3NxdWFzaCkNCi9tbnQgICAgICAgICAgCTx3b3JsZD4o
cm8sd2RlbGF5LHJvb3Rfc3F1YXNoLG5vX3N1YnRyZWVfY2hlY2ssbW91bnRwb2ludCxzZWM9c3lz
LHJvLHJvb3Rfc3F1YXNoLG5vX2FsbF9zcXVhc2gpDQpbcm9vdEBkcmFndm9sbCB+XSMgY2F0IC9w
cm9jL25ldC9ycGMvbmZzZC5leHBvcnQvY29udGVudA0KI3BhdGggZG9tYWluKGZsYWdzKQ0KLwkq
LDE5Mi4xNjguMS4wLzI0KHJvLHJvb3Rfc3F1YXNoLHN5bmMsbm9fd2RlbGF5LG5vX3N1YnRyZWVf
Y2hlY2ssdjRyb290LGZzaWQ9MCx1dWlkPTAwMDBmZDAwOjAwMDAwMDAwOjAwMDAwMDAwOjAwMDAw
MDAwLHNlYz0xKQ0KDQpJT1c6IHdoZW4gdGhlIGNvZGUgY29tYmluZXMgMiBkaWZmZXJlbnQgZXhw
b3J0cyBzdWNoIGFzIHRoZSBhYm92ZSBleHBvcnQNCnJ1bGVzIGludm9sdmluZyBvbmUgZXhwb3J0
IGZvciB3b3JsZCArIG9uZSBleHBvcnQgZm9yIGEgc3VibmV0LCBpdA0Kc2NyZXdzIHVwIGFuZCBq
dXN0IHNldHMgdGhlIHNlYz1zeXMgZGVmYXVsdC4uLg0KDQotLSANClRyb25kIE15a2xlYnVzdA0K
TGludXggTkZTIGNsaWVudCBtYWludGFpbmVyDQoNCk5ldEFwcA0KVHJvbmQuTXlrbGVidXN0QG5l
dGFwcC5jb20NCnd3dy5uZXRhcHAuY29tDQo=