|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
commit 3c1bb23c0379864722e79d19f74c180edcf2c36e
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
Author: bc Wong <bcwong@cisco.com>
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
Date: Tue Mar 18 09:30:44 2008 -0400
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
There were 2 things wrong with auth flavour ordering:
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- Mountd used to advertise AUTH_NULL as the first flavour on
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
the list, which means that it prefers AUTH_NULL to anything
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
else (as per RFC 2623 section 2.7).
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- Mount.nfs used to scan the returned list in reverse order,
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
and stopping at the first AUTH_NULL or AUTH_SYS encountered.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
If a server advertises (AUTH_SYS, AUTH_NULL), it will by
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
default choose AUTH_NULL and have degraded access.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
I've fixed mount.nfs to scan from the beginning. For mountd,
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
it does not advertise AUTH_NULL anymore. This is necessary
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
to avoid backward compatibility issue. If AUTH_NULL appears
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
in the list, either the new or the old client will choose
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
that over AUTH_SYS.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
Tested the server/client combination against the previous
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
versions, as well as Solaris and FreeBSD.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
Signed-off-by: bc Wong <bcwong@cisco.com>
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
--- nfs-utils-1.1.2/utils/mount/nfsmount.c.orig 2008-03-14 11:46:29.000000000 -0400
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+++ nfs-utils-1.1.2/utils/mount/nfsmount.c 2008-03-25 10:18:09.333839000 -0400
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
@@ -738,7 +738,7 @@ nfsmount(const char *spec, const char *n
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
#if NFS_MOUNT_VERSION >= 4
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
mountres3_ok *mountres;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
fhandle3 *fhandle;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- int i, *flavor, yum = 0;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ int i, n_flavors, *flavor, yum = 0;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
if (mntres.nfsv3.fhs_status != 0) {
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
nfs_error(_("%s: %s:%s failed, reason given by server: %s"),
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
progname, hostname, dirname,
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
@@ -747,13 +747,16 @@ nfsmount(const char *spec, const char *n
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
}
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
#if NFS_MOUNT_VERSION >= 5
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
mountres = &mntres.nfsv3.mountres3_u.mountinfo;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- i = mountres->auth_flavors.auth_flavors_len;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- if (i <= 0)
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ n_flavors = mountres->auth_flavors.auth_flavors_len;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ if (n_flavors <= 0)
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
goto noauth_flavors;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
flavor = mountres->auth_flavors.auth_flavors_val;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- while (--i >= 0) {
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- /* If no flavour requested, use first simple
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ for (i = 0; i < n_flavors; ++i) {
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ /*
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * Per RFC2623, section 2.7, we should prefer the
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * flavour listed first.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * If no flavour requested, use the first simple
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
* flavour that is offered.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
*/
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
if (! (data.flags & NFS_MOUNT_SECFLAVOUR) &&
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
--- nfs-utils-1.1.2/utils/mountd/mountd.c.orig 2008-03-14 11:46:29.000000000 -0400
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+++ nfs-utils-1.1.2/utils/mountd/mountd.c 2008-03-25 10:18:09.339833000 -0400
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
@@ -342,7 +342,14 @@ mount_mnt_3_svc(struct svc_req *rqstp, d
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
#define AUTH_GSS_KRB5 390003
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
#define AUTH_GSS_KRB5I 390004
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
#define AUTH_GSS_KRB5P 390005
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
- static int flavors[] = { AUTH_NULL, AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ static int flavors[] = { AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ /*
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * We should advertise the preferred flavours first. (See RFC 2623
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * section 2.7.) AUTH_UNIX is arbitrarily ranked over the GSS's.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * AUTH_NULL is dropped from the list to avoid backward compatibility
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * issue with older Linux clients, who inspect the list in reversed
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ * order.
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
+ */
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
struct nfs_fh_len *fh;
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
|
|
![](https://seccdn.libravatar.org/avatar/79dde3aae8e74a087a9437286a490898715b52e98b8655cac3f971ab0a473044?s=16&d=retro) |
2038fc4 |
xlog(D_CALL, "MNT3(%s) called", *path);
|