diff options
author | Steve Dickson <SteveD@redhat.com> | 2009-09-09 15:06:05 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2009-12-15 14:07:24 -0500 |
commit | 03a816b46d7eba78da11e4025f0af195b32fa464 (patch) | |
tree | 5069e9183dd5535c61bc7eff8a8a03202a19568d /fs/nfsd/nfsfh.c | |
parent | f2ca7153ca49a407ea1c7232c9fa7e9849f03f9c (diff) |
nfsd: restrict filehandles accepted in V4ROOT case
On V4ROOT exports, only accept filehandles that are the *root* of some
export. This allows mountd to allow or deny access to individual
directories and symlinks on the pseudofilesystem.
Note that the checks in readdir and lookup are not enough, since a
malicious host with access to the network could guess filehandles that
they weren't able to obtain through lookup or readdir.
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Diffstat (limited to 'fs/nfsd/nfsfh.c')
-rw-r--r-- | fs/nfsd/nfsfh.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index 951938d6c495..44812c32e51e 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c | |||
@@ -103,6 +103,36 @@ static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp, | |||
103 | return nfserrno(nfsd_setuser(rqstp, exp)); | 103 | return nfserrno(nfsd_setuser(rqstp, exp)); |
104 | } | 104 | } |
105 | 105 | ||
106 | static inline __be32 check_pseudo_root(struct svc_rqst *rqstp, | ||
107 | struct dentry *dentry, struct svc_export *exp) | ||
108 | { | ||
109 | if (!(exp->ex_flags & NFSEXP_V4ROOT)) | ||
110 | return nfs_ok; | ||
111 | /* | ||
112 | * v2/v3 clients have no need for the V4ROOT export--they use | ||
113 | * the mount protocl instead; also, further V4ROOT checks may be | ||
114 | * in v4-specific code, in which case v2/v3 clients could bypass | ||
115 | * them. | ||
116 | */ | ||
117 | if (!nfsd_v4client(rqstp)) | ||
118 | return nfserr_stale; | ||
119 | /* | ||
120 | * We're exposing only the directories and symlinks that have to be | ||
121 | * traversed on the way to real exports: | ||
122 | */ | ||
123 | if (unlikely(!S_ISDIR(dentry->d_inode->i_mode) && | ||
124 | !S_ISLNK(dentry->d_inode->i_mode))) | ||
125 | return nfserr_stale; | ||
126 | /* | ||
127 | * A pseudoroot export gives permission to access only one | ||
128 | * single directory; the kernel has to make another upcall | ||
129 | * before granting access to anything else under it: | ||
130 | */ | ||
131 | if (unlikely(dentry != exp->ex_path.dentry)) | ||
132 | return nfserr_stale; | ||
133 | return nfs_ok; | ||
134 | } | ||
135 | |||
106 | /* | 136 | /* |
107 | * Use the given filehandle to look up the corresponding export and | 137 | * Use the given filehandle to look up the corresponding export and |
108 | * dentry. On success, the results are used to set fh_export and | 138 | * dentry. On success, the results are used to set fh_export and |
@@ -299,6 +329,10 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access) | |||
299 | * (for example, if different id-squashing options are in | 329 | * (for example, if different id-squashing options are in |
300 | * effect on the new filesystem). | 330 | * effect on the new filesystem). |
301 | */ | 331 | */ |
332 | error = check_pseudo_root(rqstp, dentry, exp); | ||
333 | if (error) | ||
334 | goto out; | ||
335 | |||
302 | error = nfsd_setuser_and_check_port(rqstp, exp); | 336 | error = nfsd_setuser_and_check_port(rqstp, exp); |
303 | if (error) | 337 | if (error) |
304 | goto out; | 338 | goto out; |