diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2013-03-16 15:56:20 -0400 |
|---|---|---|
| committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2013-03-29 15:45:22 -0400 |
| commit | 4edaa308888b4bd629fa025cc6d5b2bf1a2a51db (patch) | |
| tree | 0b98de1389a22bea9f12f698f848b7cb63424f1c | |
| parent | c4eafe1135809c2b35b873a395af8f3a86a3ee98 (diff) | |
NFS: Use "krb5i" to establish NFSv4 state whenever possible
Currently our client uses AUTH_UNIX for state management on Kerberos
NFS mounts in some cases. For example, if the first mount of a
server specifies "sec=sys," the SETCLIENTID operation is performed
with AUTH_UNIX. Subsequent mounts using stronger security flavors
can not change the flavor used for lease establishment. This might
be less security than an administrator was expecting.
Dave Noveck's migration issues draft recommends the use of an
integrity-protecting security flavor for the SETCLIENTID operation.
Let's ignore the mount's sec= setting and use krb5i as the default
security flavor for SETCLIENTID.
If our client can't establish a GSS context (eg. because it doesn't
have a keytab or the server doesn't support Kerberos) we fall back
to using AUTH_NULL. For an operation that requires a
machine credential (which never represents a particular user)
AUTH_NULL is as secure as AUTH_UNIX.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
| -rw-r--r-- | fs/nfs/nfs4client.c | 2 | ||||
| -rw-r--r-- | fs/nfs/nfs4state.c | 37 |
2 files changed, 6 insertions, 33 deletions
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c index 17b34b2da2df..bb9789ef1d49 100644 --- a/fs/nfs/nfs4client.c +++ b/fs/nfs/nfs4client.c | |||
| @@ -199,7 +199,7 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp, | |||
| 199 | clp->rpc_ops = &nfs_v4_clientops; | 199 | clp->rpc_ops = &nfs_v4_clientops; |
| 200 | 200 | ||
| 201 | __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags); | 201 | __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags); |
| 202 | error = nfs_create_rpc_client(clp, timeparms, authflavour); | 202 | error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I); |
| 203 | if (error < 0) | 203 | if (error < 0) |
| 204 | goto error; | 204 | goto error; |
| 205 | 205 | ||
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index b924bdd69494..a30f51eb048f 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c | |||
| @@ -1866,26 +1866,13 @@ int nfs4_discover_server_trunking(struct nfs_client *clp, | |||
| 1866 | { | 1866 | { |
| 1867 | const struct nfs4_state_recovery_ops *ops = | 1867 | const struct nfs4_state_recovery_ops *ops = |
| 1868 | clp->cl_mvops->reboot_recovery_ops; | 1868 | clp->cl_mvops->reboot_recovery_ops; |
| 1869 | rpc_authflavor_t *flavors, flav, save; | ||
| 1870 | struct rpc_clnt *clnt; | 1869 | struct rpc_clnt *clnt; |
| 1871 | struct rpc_cred *cred; | 1870 | struct rpc_cred *cred; |
| 1872 | int i, len, status; | 1871 | int i, status; |
| 1873 | 1872 | ||
| 1874 | dprintk("NFS: %s: testing '%s'\n", __func__, clp->cl_hostname); | 1873 | dprintk("NFS: %s: testing '%s'\n", __func__, clp->cl_hostname); |
| 1875 | 1874 | ||
| 1876 | len = NFS_MAX_SECFLAVORS; | ||
| 1877 | flavors = kcalloc(len, sizeof(*flavors), GFP_KERNEL); | ||
| 1878 | if (flavors == NULL) { | ||
| 1879 | status = -ENOMEM; | ||
| 1880 | goto out; | ||
| 1881 | } | ||
| 1882 | len = rpcauth_list_flavors(flavors, len); | ||
| 1883 | if (len < 0) { | ||
| 1884 | status = len; | ||
| 1885 | goto out_free; | ||
| 1886 | } | ||
| 1887 | clnt = clp->cl_rpcclient; | 1875 | clnt = clp->cl_rpcclient; |
| 1888 | save = clnt->cl_auth->au_flavor; | ||
| 1889 | i = 0; | 1876 | i = 0; |
| 1890 | 1877 | ||
| 1891 | mutex_lock(&nfs_clid_init_mutex); | 1878 | mutex_lock(&nfs_clid_init_mutex); |
| @@ -1900,12 +1887,6 @@ again: | |||
| 1900 | switch (status) { | 1887 | switch (status) { |
| 1901 | case 0: | 1888 | case 0: |
| 1902 | break; | 1889 | break; |
| 1903 | |||
| 1904 | case -EACCES: | ||
| 1905 | if (clp->cl_machine_cred == NULL) | ||
| 1906 | break; | ||
| 1907 | /* Handle case where the user hasn't set up machine creds */ | ||
| 1908 | nfs4_clear_machine_cred(clp); | ||
| 1909 | case -NFS4ERR_DELAY: | 1890 | case -NFS4ERR_DELAY: |
| 1910 | case -ETIMEDOUT: | 1891 | case -ETIMEDOUT: |
| 1911 | case -EAGAIN: | 1892 | case -EAGAIN: |
| @@ -1914,17 +1895,12 @@ again: | |||
| 1914 | dprintk("NFS: %s after status %d, retrying\n", | 1895 | dprintk("NFS: %s after status %d, retrying\n", |
| 1915 | __func__, status); | 1896 | __func__, status); |
| 1916 | goto again; | 1897 | goto again; |
| 1917 | 1898 | case -EACCES: | |
| 1899 | if (i++) | ||
| 1900 | break; | ||
| 1918 | case -NFS4ERR_CLID_INUSE: | 1901 | case -NFS4ERR_CLID_INUSE: |
| 1919 | case -NFS4ERR_WRONGSEC: | 1902 | case -NFS4ERR_WRONGSEC: |
| 1920 | status = -EPERM; | 1903 | clnt = rpc_clone_client_set_auth(clnt, RPC_AUTH_NULL); |
| 1921 | if (i >= len) | ||
| 1922 | break; | ||
| 1923 | |||
| 1924 | flav = flavors[i++]; | ||
| 1925 | if (flav == save) | ||
| 1926 | flav = flavors[i++]; | ||
| 1927 | clnt = rpc_clone_client_set_auth(clnt, flav); | ||
| 1928 | if (IS_ERR(clnt)) { | 1904 | if (IS_ERR(clnt)) { |
| 1929 | status = PTR_ERR(clnt); | 1905 | status = PTR_ERR(clnt); |
| 1930 | break; | 1906 | break; |
| @@ -1944,9 +1920,6 @@ again: | |||
| 1944 | 1920 | ||
| 1945 | out_unlock: | 1921 | out_unlock: |
| 1946 | mutex_unlock(&nfs_clid_init_mutex); | 1922 | mutex_unlock(&nfs_clid_init_mutex); |
| 1947 | out_free: | ||
| 1948 | kfree(flavors); | ||
| 1949 | out: | ||
| 1950 | dprintk("NFS: %s: status = %d\n", __func__, status); | 1923 | dprintk("NFS: %s: status = %d\n", __func__, status); |
| 1951 | return status; | 1924 | return status; |
| 1952 | } | 1925 | } |