diff options
| author | J. Bruce Fields <bfields@citi.umich.edu> | 2007-07-17 07:04:52 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-17 13:23:08 -0400 |
| commit | 1269bc69b6649282091bb7007372acf4ab8357fd (patch) | |
| tree | 58cd434f7381332dd8b7331da36f98b40cb69639 | |
| parent | 9091224f3cff4721f295df29e8a99705a63bc4c7 (diff) | |
knfsd: nfsd: enforce per-flavor id squashing
Allow root squashing to vary per-pseudoflavor, so that you can (for example)
allow root access only when sufficiently strong security is in use.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/nfsd/auth.c | 18 | ||||
| -rw-r--r-- | include/linux/nfsd/export.h | 3 |
2 files changed, 18 insertions, 3 deletions
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 6e92b0fe532..cf61dc8ae94 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c | |||
| @@ -12,17 +12,31 @@ | |||
| 12 | 12 | ||
| 13 | #define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) | 13 | #define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) |
| 14 | 14 | ||
| 15 | static int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) | ||
| 16 | { | ||
| 17 | struct exp_flavor_info *f; | ||
| 18 | struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; | ||
| 19 | |||
| 20 | for (f = exp->ex_flavors; f < end; f++) { | ||
| 21 | if (f->pseudoflavor == rqstp->rq_flavor) | ||
| 22 | return f->flags; | ||
| 23 | } | ||
| 24 | return exp->ex_flags; | ||
| 25 | |||
| 26 | } | ||
| 27 | |||
| 15 | int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) | 28 | int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) |
| 16 | { | 29 | { |
| 17 | struct svc_cred cred = rqstp->rq_cred; | 30 | struct svc_cred cred = rqstp->rq_cred; |
| 18 | int i; | 31 | int i; |
| 32 | int flags = nfsexp_flags(rqstp, exp); | ||
| 19 | int ret; | 33 | int ret; |
| 20 | 34 | ||
| 21 | if (exp->ex_flags & NFSEXP_ALLSQUASH) { | 35 | if (flags & NFSEXP_ALLSQUASH) { |
| 22 | cred.cr_uid = exp->ex_anon_uid; | 36 | cred.cr_uid = exp->ex_anon_uid; |
| 23 | cred.cr_gid = exp->ex_anon_gid; | 37 | cred.cr_gid = exp->ex_anon_gid; |
| 24 | cred.cr_group_info = groups_alloc(0); | 38 | cred.cr_group_info = groups_alloc(0); |
| 25 | } else if (exp->ex_flags & NFSEXP_ROOTSQUASH) { | 39 | } else if (flags & NFSEXP_ROOTSQUASH) { |
| 26 | struct group_info *gi; | 40 | struct group_info *gi; |
| 27 | if (!cred.cr_uid) | 41 | if (!cred.cr_uid) |
| 28 | cred.cr_uid = exp->ex_anon_uid; | 42 | cred.cr_uid = exp->ex_anon_uid; |
diff --git a/include/linux/nfsd/export.h b/include/linux/nfsd/export.h index a01f775cb94..78feb7beff7 100644 --- a/include/linux/nfsd/export.h +++ b/include/linux/nfsd/export.h | |||
| @@ -43,7 +43,8 @@ | |||
| 43 | #define NFSEXP_ALLFLAGS 0xFE3F | 43 | #define NFSEXP_ALLFLAGS 0xFE3F |
| 44 | 44 | ||
| 45 | /* The flags that may vary depending on security flavor: */ | 45 | /* The flags that may vary depending on security flavor: */ |
| 46 | #define NFSEXP_SECINFO_FLAGS 0 | 46 | #define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \ |
| 47 | | NFSEXP_ALLSQUASH) | ||
| 47 | 48 | ||
| 48 | #ifdef __KERNEL__ | 49 | #ifdef __KERNEL__ |
| 49 | 50 | ||