NFS: Fix NFSv2 security settings
For a while now any NFSv2 mount where sec= is specified uses AUTH_NULL. If sec= is not specified, the mount uses AUTH_UNIX. Commite68fd7c807
("mount: use sec= that was specified on the command line") attempted to address a very similar problem with NFSv3, and should have fixed this too, but it has a bug. The MNTv1 MNT procedure does not return a list of security flavors, so our client makes up a list containing just AUTH_NULL. This should enable nfs_verify_authflavors() to assign the sec= specified flavor, but instead, it incorrectly sets it to AUTH_NULL. I expect this would also be a problem for any NFSv3 server whose MNTv3 MNT procedure returned a security flavor list containing only AUTH_NULL. Fixes:e68fd7c807
("mount: use sec= that was specified on ... ") BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=310 Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
This commit is contained in:
parent
b79e87e070
commit
53a75f22e7
|
@ -1691,8 +1691,8 @@ static int nfs_verify_authflavors(struct nfs_parsed_mount_data *args,
|
||||||
rpc_authflavor_t *server_authlist, unsigned int count)
|
rpc_authflavor_t *server_authlist, unsigned int count)
|
||||||
{
|
{
|
||||||
rpc_authflavor_t flavor = RPC_AUTH_MAXFLAVOR;
|
rpc_authflavor_t flavor = RPC_AUTH_MAXFLAVOR;
|
||||||
|
bool found_auth_null = false;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
int use_auth_null = false;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If the sec= mount option is used, the specified flavor or AUTH_NULL
|
* If the sec= mount option is used, the specified flavor or AUTH_NULL
|
||||||
|
@ -1701,6 +1701,10 @@ static int nfs_verify_authflavors(struct nfs_parsed_mount_data *args,
|
||||||
* AUTH_NULL has a special meaning when it's in the server list - it
|
* AUTH_NULL has a special meaning when it's in the server list - it
|
||||||
* means that the server will ignore the rpc creds, so any flavor
|
* means that the server will ignore the rpc creds, so any flavor
|
||||||
* can be used but still use the sec= that was specified.
|
* can be used but still use the sec= that was specified.
|
||||||
|
*
|
||||||
|
* Note also that the MNT procedure in MNTv1 does not return a list
|
||||||
|
* of supported security flavors. In this case, nfs_mount() fabricates
|
||||||
|
* a security flavor list containing just AUTH_NULL.
|
||||||
*/
|
*/
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
flavor = server_authlist[i];
|
flavor = server_authlist[i];
|
||||||
|
@ -1709,11 +1713,11 @@ static int nfs_verify_authflavors(struct nfs_parsed_mount_data *args,
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (flavor == RPC_AUTH_NULL)
|
if (flavor == RPC_AUTH_NULL)
|
||||||
use_auth_null = true;
|
found_auth_null = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (use_auth_null) {
|
if (found_auth_null) {
|
||||||
flavor = RPC_AUTH_NULL;
|
flavor = args->auth_info.flavors[0];
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue