nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT

Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass
only GSS, but bypass any method. This is a problem specially for NFS3
AUTH_NULL-only exports.

The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623,
section 2.3.2, to allow mounting NFS2/3 GSS-only export without
authentication. So few procedures which do not expose security risk used
during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow
client mount operation to finish successfully.

The problem with current implementation is that for AUTH_NULL-only exports,
the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount
attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is
enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to
AUTH_NONE on active mount, which makes the mount inaccessible.

Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation
and really allow to bypass only exports which have enabled some real
authentication (GSS, TLS, or any other).

The result would be: For AUTH_NULL-only export if client attempts to do
mount with AUTH_UNIX flavor then it will receive access errors, which
instruct client that AUTH_UNIX flavor is not usable and will either try
other auth flavor (AUTH_NULL if enabled) or fails mount procedure.
Similarly if client attempt to do mount with AUTH_NULL flavor and only
AUTH_UNIX flavor is enabled then the client will receive access error.

This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if
client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for
AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export).

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index c82d8e3e0d4f28a7a6b702310579026559badd1a..0f40003d864f4652561201177bb136f25fe4bdc8 100644 (file)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1078,12 +1078,14 @@ static struct svc_export *exp_find(struct cache_detail *cd,
  * check_nfsd_access - check if access to export is allowed.
  * @exp: svc_export that is being accessed.
  * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO).
+ * @may_bypass_gss: reduce strictness of authorization check
  *
  * Return values:
  *   %nfs_ok if access is granted, or
  *   %nfserr_wrongsec if access is denied
  */
-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp)
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
+                        bool may_bypass_gss)
 {
        struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors;
        struct svc_xprt *xprt;
@@ -1140,6 +1142,23 @@ ok:
        if (nfsd4_spo_must_allow(rqstp))
                return nfs_ok;
 
+       /* Some calls may be processed without authentication
+        * on GSS exports. For example NFS2/3 calls on root
+        * directory, see section 2.3.2 of rfc 2623.
+        * For "may_bypass_gss" check that export has really
+        * enabled some flavor with authentication (GSS or any
+        * other) and also check that the used auth flavor is
+        * without authentication (none or sys).
+        */
+       if (may_bypass_gss && (
+            rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL ||
+            rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) {
+               for (f = exp->ex_flavors; f < end; f++) {
+                       if (f->pseudoflavor >= RPC_AUTH_DES)
+                               return 0;
+               }
+       }
+
 denied:
        return nfserr_wrongsec;
 }

diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h
index 3794ae253a7016dd6257b5711d85c718d56ef78c..4d92b99c1ffdd9d4656c2548fc672b7f58a0ec23 100644 (file)
--- a/fs/nfsd/export.h
+++ b/fs/nfsd/export.h
@@ -101,7 +101,8 @@ struct svc_expkey {
 
 struct svc_cred;
 int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp);
-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp);
+__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp,
+                        bool may_bypass_gss);
 
 /*
  * Function declarations

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 49b4cbfe914dfb9d635b443ea447366ce8e16376..94cc7b2ac385fceabc8a7c70b2d197cefdd4b5e9 100644 (file)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -2797,7 +2797,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp)
 
                        if (current_fh->fh_export &&
                                        need_wrongsec_check(rqstp))
-                               op->status = check_nfsd_access(current_fh->fh_export, rqstp);
+                               op->status = check_nfsd_access(current_fh->fh_export, rqstp, false);
                }
 encode_op:
                if (op->status == nfserr_replay_me) {

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 37f8301cfb8a628051f322a3137b6a895e0d11f9..5e6ef24d54507e3ca1a3dcc421d30947e95e160d 100644 (file)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3767,7 +3767,7 @@ nfsd4_encode_entry4_fattr(struct nfsd4_readdir *cd, const char *name,
                        nfserr = nfserrno(err);
                        goto out_put;
                }
-               nfserr = check_nfsd_access(exp, cd->rd_rqstp);
+               nfserr = check_nfsd_access(exp, cd->rd_rqstp, false);
                if (nfserr)
                        goto out_put;
 

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 96e19c50a5d7ee8cd610bec4ecaec617286deea3..cbb046f88eec6483fe4c78688ea6ecd35def7b1e 100644 (file)
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -320,6 +320,7 @@ __fh_verify(struct svc_rqst *rqstp,
 {
        struct nfsd_net *nn = net_generic(net, nfsd_net_id);
        struct svc_export *exp = NULL;
+       bool may_bypass_gss = false;
        struct dentry   *dentry;
        __be32          error;
 
@@ -367,8 +368,10 @@ __fh_verify(struct svc_rqst *rqstp,
         * which clients virtually always use auth_sys for,
         * even while using RPCSEC_GSS for NFS.
         */
-       if (access & NFSD_MAY_LOCK || access & NFSD_MAY_BYPASS_GSS)
+       if (access & NFSD_MAY_LOCK)
                goto skip_pseudoflavor_check;
+       if (access & NFSD_MAY_BYPASS_GSS)
+               may_bypass_gss = true;
        /*
         * Clients may expect to be able to use auth_sys during mount,
         * even if they use gss for everything else; see section 2.3.2
@@ -376,9 +379,9 @@ __fh_verify(struct svc_rqst *rqstp,
         */
        if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT
                        && exp->ex_path.dentry == dentry)
-               goto skip_pseudoflavor_check;
+               may_bypass_gss = true;
 
-       error = check_nfsd_access(exp, rqstp);
+       error = check_nfsd_access(exp, rqstp, may_bypass_gss);
        if (error)
                goto out;
 

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index e0692401da33e641d4f32c67bdc2aaab72a2010b..1f8540148c4af12ab092d4916cc987c01fc5559b 100644 (file)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -321,7 +321,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name,
        err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry);
        if (err)
                return err;
-       err = check_nfsd_access(exp, rqstp);
+       err = check_nfsd_access(exp, rqstp, false);
        if (err)
                goto out;
        /*