Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp133170pxu; Wed, 2 Dec 2020 17:17:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJwhEBOmCCfn0uK/nUuO253gW41oLlLZFdAkI21ry4qoffglo0kz+yzHAKeNbsMlXgzjaTXO X-Received: by 2002:a50:ed04:: with SMTP id j4mr771414eds.84.1606958236634; Wed, 02 Dec 2020 17:17:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606958236; cv=none; d=google.com; s=arc-20160816; b=ajwU7E8in9kU2t5NLRixV1IeXuiWp0bNeWryCwGSIF9bQ9TqiNOOB9k1VaDRZm3BrW lavJ8kdLGsYzz/Tmcst3wCp5vTqnf54XPVbU1FbkbrE33n/qOLH3w0HK1CcpTrY/iKHi gSdKBnMMyoOtZp1Cgf0vJWvFMLG5gc5VutgLs53WHNRqQiO6M1Nh5AkVbgyzokd6revP nP9qMxwWzNbw+swKzJ1bBKhQQqCUf37mWdl/HAVGemJfQarwmFwW0cjfIjUSG5E1Bip+ e0VbTA8IRxd1TVZDxUj6IfMd0l95l47xJCefuGs8py40jqMJAOr0yr9Q/22d92SluhzD MfUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature:dkim-filter; bh=QQ0W++hr8SINJR4W2khxxE2YLaCAvJuzeiJRJFcF4eA=; b=rjm5FhXJ4VZLxPHpWLoW8DkY8UiDgSya+BSuDH2PeiY4XIR+Mcg7JKxjiMTQ3Vudl2 Wc12NobuiC0qPArBw3am8F/9nLpI6lxiRyXhyKM8bsOaXA6bb3sXjYLQqo9oV+9SEgs/ D4jIRKDcohGXX6hGNSL8PNDWxnW2M8vUstG1trsTI4w1u9G93ikhRj0omxgICvVu1OKx 5C2ttt9IcVHOhmG/uQZ+hTS8+K/8MsI/TtFoFEMRFHTm9Hgg8ToYkinBH9MiJdhgb9jf ojXmQjQQABdGGkeyd9z+9jMz7PynTroHMbodYk20RfmylVYe8/DI6DMuCsVAfQ/3xB6S 98nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=ExVoVPhr; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hs9si29960ejc.187.2020.12.02.17.16.53; Wed, 02 Dec 2020 17:17:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@fieldses.org header.s=default header.b=ExVoVPhr; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726024AbgLCBPt (ORCPT + 99 others); Wed, 2 Dec 2020 20:15:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726479AbgLCBPt (ORCPT ); Wed, 2 Dec 2020 20:15:49 -0500 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00:e000:2f7::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58436C0617A6 for ; Wed, 2 Dec 2020 17:15:09 -0800 (PST) Received: by fieldses.org (Postfix, from userid 2815) id 904294EEA; Wed, 2 Dec 2020 20:14:59 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 fieldses.org 904294EEA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fieldses.org; s=default; t=1606958100; bh=QQ0W++hr8SINJR4W2khxxE2YLaCAvJuzeiJRJFcF4eA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ExVoVPhrxog5sjadXxrQ5+ltQmTlwMovw1XpQ8a7fzyhKsthXthZp2qCIjWnEaFOv gE/UgPYmPxUO0THuhvc3sRxakMfLG0X06OwT6jAiGP6omcPNMzyGv+1V0aVnLVxt4R f2tpN02rhPNl2JotUfagZTsgQUztNk5x2m6bzCXs= From: bfields@fieldses.org To: Steve Dickson Cc: linux-nfs@vger.kernel.org, Trond Myklebust , "J. Bruce Fields" Subject: [PATCH 1/2] mountd: allow high ports on all pseudofs exports Date: Wed, 2 Dec 2020 20:14:56 -0500 Message-Id: <1606958097-9041-1-git-send-email-bfields@fieldses.org> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <20201203010546.GB348347@pick.fieldses.org> References: <20201203010546.GB348347@pick.fieldses.org> Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: "J. Bruce Fields" We originally tried to grant permissions on the v4 pseudoroot filesystem that were the absolute minimum required for a client to reach a given export. This turns out to be complicated, and we've never gotten it quite right. Also, the tradition from the MNT protocol was to allow anyone to browse the list of exports. So, do as we already did with security flavors and just allow clients from high ports to access the whole pseudofilesystem. Signed-off-by: J. Bruce Fields --- utils/mountd/v4root.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c index a9ea167a07e0..39dd87a94e59 100644 --- a/utils/mountd/v4root.c +++ b/utils/mountd/v4root.c @@ -36,7 +36,7 @@ static nfs_export pseudo_root = { .e_path = "/", .e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH | NFSEXP_NOSUBTREECHECK | NFSEXP_FSID - | NFSEXP_V4ROOT, + | NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT, .e_anonuid = 65534, .e_anongid = 65534, .e_squids = NULL, @@ -55,13 +55,11 @@ static nfs_export pseudo_root = { }; static void -set_pseudofs_security(struct exportent *pseudo, int flags) +set_pseudofs_security(struct exportent *pseudo) { struct flav_info *flav; int i; - if (flags & NFSEXP_INSECURE_PORT) - pseudo->e_flags |= NFSEXP_INSECURE_PORT; if ((flags & NFSEXP_ROOTSQUASH) == 0) pseudo->e_flags &= ~NFSEXP_ROOTSQUASH; for (flav = flav_map; flav < flav_map + flav_map_size; flav++) { @@ -70,8 +68,7 @@ set_pseudofs_security(struct exportent *pseudo, int flags) i = secinfo_addflavor(flav, pseudo); new = &pseudo->e_secinfo[i]; - if (flags & NFSEXP_INSECURE_PORT) - new->flags |= NFSEXP_INSECURE_PORT; + new->flags |= NFSEXP_INSECURE_PORT; } } @@ -90,7 +87,7 @@ v4root_create(char *path, nfs_export *export) strncpy(eep.e_path, path, sizeof(eep.e_path)-1); if (strcmp(path, "/") != 0) eep.e_flags &= ~NFSEXP_FSID; - set_pseudofs_security(&eep, curexp->e_flags); + set_pseudofs_security(&eep); exp = export_create(&eep, 0); if (exp == NULL) return NULL; @@ -138,7 +135,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source) return 0; } /* Update an existing V4ROOT export: */ - set_pseudofs_security(&exp->m_export, source->m_export.e_flags); + set_pseudofs_security(&exp->m_export); return 0; } -- 2.28.0