aboutsummaryrefslogtreecommitdiffstats
path: root/fs/nfsd/nfsfh.c
diff options
context:
space:
mode:
authorSteve Dickson <SteveD@redhat.com>2009-09-09 15:06:05 -0400
committerJ. Bruce Fields <bfields@citi.umich.edu>2009-12-15 14:07:24 -0500
commit03a816b46d7eba78da11e4025f0af195b32fa464 (patch)
tree5069e9183dd5535c61bc7eff8a8a03202a19568d /fs/nfsd/nfsfh.c
parentf2ca7153ca49a407ea1c7232c9fa7e9849f03f9c (diff)
nfsd: restrict filehandles accepted in V4ROOT case
On V4ROOT exports, only accept filehandles that are the *root* of some export. This allows mountd to allow or deny access to individual directories and symlinks on the pseudofilesystem. Note that the checks in readdir and lookup are not enough, since a malicious host with access to the network could guess filehandles that they weren't able to obtain through lookup or readdir. Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Diffstat (limited to 'fs/nfsd/nfsfh.c')
-rw-r--r--fs/nfsd/nfsfh.c34
1 files changed, 34 insertions, 0 deletions
diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 951938d6c495..44812c32e51e 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -103,6 +103,36 @@ static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
103 return nfserrno(nfsd_setuser(rqstp, exp)); 103 return nfserrno(nfsd_setuser(rqstp, exp));
104} 104}
105 105
106static inline __be32 check_pseudo_root(struct svc_rqst *rqstp,
107 struct dentry *dentry, struct svc_export *exp)
108{
109 if (!(exp->ex_flags & NFSEXP_V4ROOT))
110 return nfs_ok;
111 /*
112 * v2/v3 clients have no need for the V4ROOT export--they use
113 * the mount protocl instead; also, further V4ROOT checks may be
114 * in v4-specific code, in which case v2/v3 clients could bypass
115 * them.
116 */
117 if (!nfsd_v4client(rqstp))
118 return nfserr_stale;
119 /*
120 * We're exposing only the directories and symlinks that have to be
121 * traversed on the way to real exports:
122 */
123 if (unlikely(!S_ISDIR(dentry->d_inode->i_mode) &&
124 !S_ISLNK(dentry->d_inode->i_mode)))
125 return nfserr_stale;
126 /*
127 * A pseudoroot export gives permission to access only one
128 * single directory; the kernel has to make another upcall
129 * before granting access to anything else under it:
130 */
131 if (unlikely(dentry != exp->ex_path.dentry))
132 return nfserr_stale;
133 return nfs_ok;
134}
135
106/* 136/*
107 * Use the given filehandle to look up the corresponding export and 137 * Use the given filehandle to look up the corresponding export and
108 * dentry. On success, the results are used to set fh_export and 138 * dentry. On success, the results are used to set fh_export and
@@ -299,6 +329,10 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, int access)
299 * (for example, if different id-squashing options are in 329 * (for example, if different id-squashing options are in
300 * effect on the new filesystem). 330 * effect on the new filesystem).
301 */ 331 */
332 error = check_pseudo_root(rqstp, dentry, exp);
333 if (error)
334 goto out;
335
302 error = nfsd_setuser_and_check_port(rqstp, exp); 336 error = nfsd_setuser_and_check_port(rqstp, exp);
303 if (error) 337 if (error)
304 goto out; 338 goto out;