commit 3c1bb23c0379864722e79d19f74c180edcf2c36e

Author: bc Wong <bcwong@cisco.com>

Date:   Tue Mar 18 09:30:44 2008 -0400

    There were 2 things wrong with auth flavour ordering:

    - Mountd used to advertise AUTH_NULL as the first flavour on

      the list, which means that it prefers AUTH_NULL to anything

      else (as per RFC 2623 section 2.7).

    - Mount.nfs used to scan the returned list in reverse order,

      and stopping at the first AUTH_NULL or AUTH_SYS encountered.

      If a server advertises (AUTH_SYS, AUTH_NULL), it will by

      default choose AUTH_NULL and have degraded access.

    I've fixed mount.nfs to scan from the beginning. For mountd,

    it does not advertise AUTH_NULL anymore. This is necessary

    to avoid backward compatibility issue. If AUTH_NULL appears

    in the list, either the new or the old client will choose

    that over AUTH_SYS.

    Tested the server/client combination against the previous

    versions, as well as Solaris and FreeBSD.

    Signed-off-by: bc Wong <bcwong@cisco.com>

    Signed-off-by: Steve Dickson <steved@redhat.com>

--- nfs-utils-1.1.2/utils/mount/nfsmount.c.orig	2008-03-14 11:46:29.000000000 -0400

+++ nfs-utils-1.1.2/utils/mount/nfsmount.c	2008-03-25 10:18:09.333839000 -0400

@@ -738,7 +738,7 @@ nfsmount(const char *spec, const char *n

 #if NFS_MOUNT_VERSION >= 4

 		mountres3_ok *mountres;

 		fhandle3 *fhandle;

-		int i, *flavor, yum = 0;

+		int i,  n_flavors, *flavor, yum = 0;

 		if (mntres.nfsv3.fhs_status != 0) {

 			nfs_error(_("%s: %s:%s failed, reason given by server: %s"),

 					progname, hostname, dirname,

@@ -747,13 +747,16 @@ nfsmount(const char *spec, const char *n

 		}

 #if NFS_MOUNT_VERSION >= 5

 		mountres = &mntres.nfsv3.mountres3_u.mountinfo;

-		i = mountres->auth_flavors.auth_flavors_len;

-		if (i <= 0)

+		n_flavors = mountres->auth_flavors.auth_flavors_len;

+		if (n_flavors <= 0)

 			goto noauth_flavors;

 		flavor = mountres->auth_flavors.auth_flavors_val;

-		while (--i >= 0) {

-			/* If no flavour requested, use first simple

+		for (i = 0; i < n_flavors; ++i) {

+			/*

+			 * Per RFC2623, section 2.7, we should prefer the

+			 * flavour listed first.

+			 * If no flavour requested, use the first simple

 			 * flavour that is offered.

 			 */

 			if (! (data.flags & NFS_MOUNT_SECFLAVOUR) &&

--- nfs-utils-1.1.2/utils/mountd/mountd.c.orig	2008-03-14 11:46:29.000000000 -0400

+++ nfs-utils-1.1.2/utils/mountd/mountd.c	2008-03-25 10:18:09.339833000 -0400

@@ -342,7 +342,14 @@ mount_mnt_3_svc(struct svc_req *rqstp, d

 #define AUTH_GSS_KRB5 390003

 #define AUTH_GSS_KRB5I 390004

 #define AUTH_GSS_KRB5P 390005

-	static int	flavors[] = { AUTH_NULL, AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};

+	static int	flavors[] = { AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};

+	/*

+	 * We should advertise the preferred flavours first. (See RFC 2623

+	 * section 2.7.) AUTH_UNIX is arbitrarily ranked over the GSS's.

+	 * AUTH_NULL is dropped from the list to avoid backward compatibility

+	 * issue with older Linux clients, who inspect the list in reversed

+	 * order.

+	 */

 	struct nfs_fh_len *fh;

 	xlog(D_CALL, "MNT3(%s) called", *path);