diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2008-08-07 13:00:20 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2008-09-29 17:56:56 -0400 |
commit | 04716e6621ff4abb422d64ba7b48718f52716a3e (patch) | |
tree | 742e2e7b6d4c7cf3a39f504000a49e57fe0b538b /include/linux | |
parent | 5dd248f6f1ffe1f691fd66749e2a3dc8f8eb7b5e (diff) |
nfsd: permit unauthenticated stat of export root
RFC 2623 section 2.3.2 permits the server to bypass gss authentication
checks for certain operations that a client may perform when mounting.
In the case of a client that doesn't have some form of credentials
available to it on boot, this allows it to perform the mount unattended.
(Presumably real file access won't be needed until a user with
credentials logs in.)
Being slightly more lenient allows lots of old clients to access
krb5-only exports, with the only loss being a small amount of
information leaked about the root directory of the export.
This affects only v2 and v3; v4 still requires authentication for all
access.
Thanks to Peter Staubach testing against a Solaris client, which
suggesting addition of v3 getattr, to the list, and to Trond for noting
that doing so exposes no additional information.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Peter Staubach <staubach@redhat.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/nfsd/nfsd.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h index 108f47e5fd95..21269405ffe2 100644 --- a/include/linux/nfsd/nfsd.h +++ b/include/linux/nfsd/nfsd.h | |||
@@ -38,6 +38,7 @@ | |||
38 | #define NFSD_MAY_LOCK 32 | 38 | #define NFSD_MAY_LOCK 32 |
39 | #define NFSD_MAY_OWNER_OVERRIDE 64 | 39 | #define NFSD_MAY_OWNER_OVERRIDE 64 |
40 | #define NFSD_MAY_LOCAL_ACCESS 128 /* IRIX doing local access check on device special file*/ | 40 | #define NFSD_MAY_LOCAL_ACCESS 128 /* IRIX doing local access check on device special file*/ |
41 | #define NFSD_MAY_BYPASS_GSS_ON_ROOT 256 | ||
41 | 42 | ||
42 | #define NFSD_MAY_CREATE (NFSD_MAY_EXEC|NFSD_MAY_WRITE) | 43 | #define NFSD_MAY_CREATE (NFSD_MAY_EXEC|NFSD_MAY_WRITE) |
43 | #define NFSD_MAY_REMOVE (NFSD_MAY_EXEC|NFSD_MAY_WRITE|NFSD_MAY_TRUNC) | 44 | #define NFSD_MAY_REMOVE (NFSD_MAY_EXEC|NFSD_MAY_WRITE|NFSD_MAY_TRUNC) |
@@ -125,7 +126,7 @@ int nfsd_truncate(struct svc_rqst *, struct svc_fh *, | |||
125 | __be32 nfsd_readdir(struct svc_rqst *, struct svc_fh *, | 126 | __be32 nfsd_readdir(struct svc_rqst *, struct svc_fh *, |
126 | loff_t *, struct readdir_cd *, filldir_t); | 127 | loff_t *, struct readdir_cd *, filldir_t); |
127 | __be32 nfsd_statfs(struct svc_rqst *, struct svc_fh *, | 128 | __be32 nfsd_statfs(struct svc_rqst *, struct svc_fh *, |
128 | struct kstatfs *); | 129 | struct kstatfs *, int access); |
129 | 130 | ||
130 | int nfsd_notify_change(struct inode *, struct iattr *); | 131 | int nfsd_notify_change(struct inode *, struct iattr *); |
131 | __be32 nfsd_permission(struct svc_rqst *, struct svc_export *, | 132 | __be32 nfsd_permission(struct svc_rqst *, struct svc_export *, |