git: 6078d52fa12a - stable/13 - nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty
Rick Macklem
rmacklem at FreeBSD.org
Sat Jun 26 22:59:26 UTC 2021
The branch stable/13 has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=6078d52fa12adfbf3a7e54a6a228fff13c5ecd4a
commit 6078d52fa12adfbf3a7e54a6a228fff13c5ecd4a
Author: Rick Macklem <rmacklem at FreeBSD.org>
AuthorDate: 2021-06-05 03:31:20 +0000
Commit: Rick Macklem <rmacklem at FreeBSD.org>
CommitDate: 2021-06-26 22:56:10 +0000
nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty
Commit 947bd2479ba9 added support for the Secinfo_no_name operation.
When a non-exported file system is being traversed, the list of
security flavors is empty. It turns out that the Linux client
mount attempt fails when the security flavors list in the
Secinfo_no_name reply is empty.
This patch modifies Secinfo/Secinfo_no_name so that it replies
with all four security flavors when the list is empty.
This fixes Linux NFSv4.1/4.2 mounts when the file system at
the NFSv4 root (as specified on a V4: exports(5) line) is
not exported.
(cherry picked from commit 56e9d8e38e7eed84901acddca24170eb352d2ed6)
---
sys/fs/nfsserver/nfs_nfsdserv.c | 50 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c
index adb66d3d794d..e564a6a48b79 100644
--- a/sys/fs/nfsserver/nfs_nfsdserv.c
+++ b/sys/fs/nfsserver/nfs_nfsdserv.c
@@ -3715,6 +3715,31 @@ nfsrvd_secinfo(struct nfsrv_descript *nd, int isdgram,
*/
len = 0;
NFSM_BUILD(sizp, u_int32_t *, NFSX_UNSIGNED);
+
+ /* If nes_numsecflavor == 0, all are allowed. */
+ if (retnes.nes_numsecflavor == 0) {
+ NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(RPCAUTH_UNIX);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY);
+ len = 4;
+ }
for (i = 0; i < retnes.nes_numsecflavor; i++) {
if (retnes.nes_secflavors[i] == AUTH_SYS) {
NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED);
@@ -3830,6 +3855,31 @@ nfsrvd_secinfononame(struct nfsrv_descript *nd, int isdgram,
*/
len = 0;
NFSM_BUILD(sizp, uint32_t *, NFSX_UNSIGNED);
+
+ /* If nes_numsecflavor == 0, all are allowed. */
+ if (retnes.nes_numsecflavor == 0) {
+ NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(RPCAUTH_UNIX);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY);
+ *tl = txdr_unsigned(RPCAUTH_GSS);
+ nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str,
+ nfsgss_mechlist[KERBV_MECH].len);
+ NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+ *tl++ = txdr_unsigned(GSS_KERBV_QOP);
+ *tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY);
+ len = 4;
+ }
for (i = 0; i < retnes.nes_numsecflavor; i++) {
if (retnes.nes_secflavors[i] == AUTH_SYS) {
NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);
More information about the dev-commits-src-all
mailing list