All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] mountd: allow high ports on all pseudofs exports
@ 2020-12-02 22:56 J. Bruce Fields
  2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields
  2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
  0 siblings, 2 replies; 8+ messages in thread
From: J. Bruce Fields @ 2020-12-02 22:56 UTC (permalink / raw)
  To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields

From: "J. Bruce Fields" <bfields@redhat.com>

We originally tried to grant permissions on the v4 pseudoroot filesystem
that were the absolute minimum required for a client to reach a given
export.  This turns out to be complicated, and we've never gotten it
quite right.  Also, the tradition from the MNT protocol was to allow
anyone to browse the list of exports.

So, do as we already did with security flavors and just allow clients
from high ports to access the whole pseudofilesystem.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index a9ea167a07e0..2ac4e87898c0 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -36,7 +36,7 @@ static nfs_export pseudo_root = {
 		.e_path = "/",
 		.e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH
 				| NFSEXP_NOSUBTREECHECK | NFSEXP_FSID
-				| NFSEXP_V4ROOT,
+				| NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT,
 		.e_anonuid = 65534,
 		.e_anongid = 65534,
 		.e_squids = NULL,
@@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int flags)
 	struct flav_info *flav;
 	int i;
 
-	if (flags & NFSEXP_INSECURE_PORT)
-		pseudo->e_flags |= NFSEXP_INSECURE_PORT;
 	if ((flags & NFSEXP_ROOTSQUASH) == 0)
 		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
@@ -70,8 +68,7 @@ set_pseudofs_security(struct exportent *pseudo, int flags)
 		i = secinfo_addflavor(flav, pseudo);
 		new = &pseudo->e_secinfo[i];
 
-		if (flags & NFSEXP_INSECURE_PORT)
-			new->flags |= NFSEXP_INSECURE_PORT;
+		new->flags |= NFSEXP_INSECURE_PORT;
 	}
 }
 
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH 2/2] mountd: always root squash on the pseudofs
  2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
@ 2020-12-02 22:56 ` J. Bruce Fields
  2020-12-03  0:54   ` Trond Myklebust
  2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
  1 sibling, 1 reply; 8+ messages in thread
From: J. Bruce Fields @ 2020-12-02 22:56 UTC (permalink / raw)
  To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields

From: "J. Bruce Fields" <bfields@redhat.com>

As with security flavors and "secure" ports, we tried to code this so
that pseudofs directories would inherit root squashing from their
children, but it doesn't really work as coded and I'm not sure it's
useful.

Just root squash always.  If it turns out somebody's exporting
directories that are only readable by root, I guess we can try to do
something else here, but frankly that sounds like a pretty weird
configuration.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 2ac4e87898c0..36543401f296 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int flags)
 	struct flav_info *flav;
 	int i;
 
-	if ((flags & NFSEXP_ROOTSQUASH) == 0)
-		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
 		struct sec_entry *new;
 
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH 1/2] mountd: allow high ports on all pseudofs exports
  2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
  2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields
@ 2020-12-02 23:03 ` J. Bruce Fields
  1 sibling, 0 replies; 8+ messages in thread
From: J. Bruce Fields @ 2020-12-02 23:03 UTC (permalink / raw)
  To: Steve Dickson; +Cc: linux-nfs, J. Bruce Fields

On Wed, Dec 02, 2020 at 05:56:43PM -0500, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> We originally tried to grant permissions on the v4 pseudoroot filesystem
> that were the absolute minimum required for a client to reach a given
> export.  This turns out to be complicated, and we've never gotten it
> quite right.  Also, the tradition from the MNT protocol was to allow
> anyone to browse the list of exports.
> 
> So, do as we already did with security flavors and just allow clients
> from high ports to access the whole pseudofilesystem.

Oh, except then we may as well also remove this "flags" parameter.

--b.

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 36543401f296..f6eb126660f3 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -55,7 +55,7 @@ static nfs_export pseudo_root = {
 };
 
 static void
-set_pseudofs_security(struct exportent *pseudo, int flags)
+set_pseudofs_security(struct exportent *pseudo)
 {
 	struct flav_info *flav;
 	int i;
@@ -85,7 +85,7 @@ v4root_create(char *path, nfs_export *export)
 	strncpy(eep.e_path, path, sizeof(eep.e_path)-1);
 	if (strcmp(path, "/") != 0)
 		eep.e_flags &= ~NFSEXP_FSID;
-	set_pseudofs_security(&eep, curexp->e_flags);
+	set_pseudofs_security(&eep);
 	exp = export_create(&eep, 0);
 	if (exp == NULL)
 		return NULL;
@@ -133,7 +133,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source)
 		return 0;
 	}
 	/* Update an existing V4ROOT export: */
-	set_pseudofs_security(&exp->m_export, source->m_export.e_flags);
+	set_pseudofs_security(&exp->m_export);
 	return 0;
 }
 

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH 2/2] mountd: always root squash on the pseudofs
  2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields
@ 2020-12-03  0:54   ` Trond Myklebust
  2020-12-03  1:05     ` J. Bruce Fields
  0 siblings, 1 reply; 8+ messages in thread
From: Trond Myklebust @ 2020-12-03  0:54 UTC (permalink / raw)
  To: bfields, steved; +Cc: linux-nfs, bfields

On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> As with security flavors and "secure" ports, we tried to code this so
> that pseudofs directories would inherit root squashing from their
> children, but it doesn't really work as coded and I'm not sure it's
> useful.
> 
> Just root squash always.  If it turns out somebody's exporting
> directories that are only readable by root, I guess we can try to do
> something else here, but frankly that sounds like a pretty weird
> configuration.
> 
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> ---
>  utils/mountd/v4root.c | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> index 2ac4e87898c0..36543401f296 100644
> --- a/utils/mountd/v4root.c
> +++ b/utils/mountd/v4root.c
> @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int
> flags)
>         struct flav_info *flav;
>         int i;
>  
> -       if ((flags & NFSEXP_ROOTSQUASH) == 0)
> -               pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
>         for (flav = flav_map; flav < flav_map + flav_map_size;
> flav++) {
>                 struct sec_entry *new;
>  

Hmm... What is the harm in allowing root to be unsquashed here? Isn't
this really all about respecting lookup permissions, or could a user
actually modify something in the pseudofs? If the latter, then that
sounds like a bug (the pseudofs should always be read-only).

The consequence of not being able to look up a directory in the
pseudofs is that the NFSv4 client will be completely unable to mount
that subtree, so squashing root could make a major difference.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 2/2] mountd: always root squash on the pseudofs
  2020-12-03  0:54   ` Trond Myklebust
@ 2020-12-03  1:05     ` J. Bruce Fields
  2020-12-03  1:14       ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields
  0 siblings, 1 reply; 8+ messages in thread
From: J. Bruce Fields @ 2020-12-03  1:05 UTC (permalink / raw)
  To: Trond Myklebust; +Cc: bfields, steved, linux-nfs

On Thu, Dec 03, 2020 at 12:54:53AM +0000, Trond Myklebust wrote:
> On Wed, 2020-12-02 at 17:56 -0500, J. Bruce Fields wrote:
> > From: "J. Bruce Fields" <bfields@redhat.com>
> > 
> > As with security flavors and "secure" ports, we tried to code this so
> > that pseudofs directories would inherit root squashing from their
> > children, but it doesn't really work as coded and I'm not sure it's
> > useful.
> > 
> > Just root squash always.  If it turns out somebody's exporting
> > directories that are only readable by root, I guess we can try to do
> > something else here, but frankly that sounds like a pretty weird
> > configuration.
> > 
> > Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> > ---
> >  utils/mountd/v4root.c | 2 --
> >  1 file changed, 2 deletions(-)
> > 
> > diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> > index 2ac4e87898c0..36543401f296 100644
> > --- a/utils/mountd/v4root.c
> > +++ b/utils/mountd/v4root.c
> > @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo, int
> > flags)
> >         struct flav_info *flav;
> >         int i;
> >  
> > -       if ((flags & NFSEXP_ROOTSQUASH) == 0)
> > -               pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
> >         for (flav = flav_map; flav < flav_map + flav_map_size;
> > flav++) {
> >                 struct sec_entry *new;
> >  
> 
> Hmm... What is the harm in allowing root to be unsquashed here? Isn't
> this really all about respecting lookup permissions, or could a user
> actually modify something in the pseudofs? If the latter, then that
> sounds like a bug (the pseudofs should always be read-only).

Yeah, it should only be read-only.

> The consequence of not being able to look up a directory in the
> pseudofs is that the NFSv4 client will be completely unable to mount
> that subtree, so squashing root could make a major difference.

Fair enough, I'll resend.

--b.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/2] mountd: allow high ports on all pseudofs exports
  2020-12-03  1:05     ` J. Bruce Fields
@ 2020-12-03  1:14       ` bfields
  2020-12-03  1:14         ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields
  0 siblings, 1 reply; 8+ messages in thread
From: bfields @ 2020-12-03  1:14 UTC (permalink / raw)
  To: Steve Dickson; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields

From: "J. Bruce Fields" <bfields@redhat.com>

We originally tried to grant permissions on the v4 pseudoroot filesystem
that were the absolute minimum required for a client to reach a given
export.  This turns out to be complicated, and we've never gotten it
quite right.  Also, the tradition from the MNT protocol was to allow
anyone to browse the list of exports.

So, do as we already did with security flavors and just allow clients
from high ports to access the whole pseudofilesystem.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index a9ea167a07e0..39dd87a94e59 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -36,7 +36,7 @@ static nfs_export pseudo_root = {
 		.e_path = "/",
 		.e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH
 				| NFSEXP_NOSUBTREECHECK | NFSEXP_FSID
-				| NFSEXP_V4ROOT,
+				| NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT,
 		.e_anonuid = 65534,
 		.e_anongid = 65534,
 		.e_squids = NULL,
@@ -55,13 +55,11 @@ static nfs_export pseudo_root = {
 };
 
 static void
-set_pseudofs_security(struct exportent *pseudo, int flags)
+set_pseudofs_security(struct exportent *pseudo)
 {
 	struct flav_info *flav;
 	int i;
 
-	if (flags & NFSEXP_INSECURE_PORT)
-		pseudo->e_flags |= NFSEXP_INSECURE_PORT;
 	if ((flags & NFSEXP_ROOTSQUASH) == 0)
 		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
@@ -70,8 +68,7 @@ set_pseudofs_security(struct exportent *pseudo, int flags)
 		i = secinfo_addflavor(flav, pseudo);
 		new = &pseudo->e_secinfo[i];
 
-		if (flags & NFSEXP_INSECURE_PORT)
-			new->flags |= NFSEXP_INSECURE_PORT;
+		new->flags |= NFSEXP_INSECURE_PORT;
 	}
 }
 
@@ -90,7 +87,7 @@ v4root_create(char *path, nfs_export *export)
 	strncpy(eep.e_path, path, sizeof(eep.e_path)-1);
 	if (strcmp(path, "/") != 0)
 		eep.e_flags &= ~NFSEXP_FSID;
-	set_pseudofs_security(&eep, curexp->e_flags);
+	set_pseudofs_security(&eep);
 	exp = export_create(&eep, 0);
 	if (exp == NULL)
 		return NULL;
@@ -138,7 +135,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source)
 		return 0;
 	}
 	/* Update an existing V4ROOT export: */
-	set_pseudofs_security(&exp->m_export, source->m_export.e_flags);
+	set_pseudofs_security(&exp->m_export);
 	return 0;
 }
 
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* [PATCH 2/2] mountd: never root squash on the pseudofs
  2020-12-03  1:14       ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields
@ 2020-12-03  1:14         ` bfields
  2020-12-26 19:32           ` Steve Dickson
  0 siblings, 1 reply; 8+ messages in thread
From: bfields @ 2020-12-03  1:14 UTC (permalink / raw)
  To: Steve Dickson; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields

From: "J. Bruce Fields" <bfields@redhat.com>

As with security flavors and "secure" ports, we tried to code this so
that pseudofs directories would inherit root squashing from their
children, but it doesn't really work as coded and I'm not sure it's
useful.

Let's just not root squash.  The risk is pretty low since the pseudofs
is readonly, and we'd rather not risk failing a mount unnecessarily.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 39dd87a94e59..c42ba72380ea 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -34,7 +34,7 @@ static nfs_export pseudo_root = {
 	.m_export = {
 		.e_hostname = "*",
 		.e_path = "/",
-		.e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH
+		.e_flags = NFSEXP_READONLY
 				| NFSEXP_NOSUBTREECHECK | NFSEXP_FSID
 				| NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT,
 		.e_anonuid = 65534,
@@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo)
 	struct flav_info *flav;
 	int i;
 
-	if ((flags & NFSEXP_ROOTSQUASH) == 0)
-		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
 		struct sec_entry *new;
 
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH 2/2] mountd: never root squash on the pseudofs
  2020-12-03  1:14         ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields
@ 2020-12-26 19:32           ` Steve Dickson
  0 siblings, 0 replies; 8+ messages in thread
From: Steve Dickson @ 2020-12-26 19:32 UTC (permalink / raw)
  To: bfields; +Cc: linux-nfs, Trond Myklebust, J. Bruce Fields



On 12/2/20 8:14 PM, bfields@fieldses.org wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> As with security flavors and "secure" ports, we tried to code this so
> that pseudofs directories would inherit root squashing from their
> children, but it doesn't really work as coded and I'm not sure it's
> useful.
> 
> Let's just not root squash.  The risk is pretty low since the pseudofs
> is readonly, and we'd rather not risk failing a mount unnecessarily.
> 
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
My apologies for taking so long to get to this... I lost it in the weeds ;-)

Both patches Committed!

steved. 
> ---
>  utils/mountd/v4root.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
> index 39dd87a94e59..c42ba72380ea 100644
> --- a/utils/mountd/v4root.c
> +++ b/utils/mountd/v4root.c
> @@ -34,7 +34,7 @@ static nfs_export pseudo_root = {
>  	.m_export = {
>  		.e_hostname = "*",
>  		.e_path = "/",
> -		.e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH
> +		.e_flags = NFSEXP_READONLY
>  				| NFSEXP_NOSUBTREECHECK | NFSEXP_FSID
>  				| NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT,
>  		.e_anonuid = 65534,
> @@ -60,8 +60,6 @@ set_pseudofs_security(struct exportent *pseudo)
>  	struct flav_info *flav;
>  	int i;
>  
> -	if ((flags & NFSEXP_ROOTSQUASH) == 0)
> -		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
>  	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
>  		struct sec_entry *new;
>  
> 


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2020-12-26 19:33 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-02 22:56 [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields
2020-12-02 22:56 ` [PATCH 2/2] mountd: always root squash on the pseudofs J. Bruce Fields
2020-12-03  0:54   ` Trond Myklebust
2020-12-03  1:05     ` J. Bruce Fields
2020-12-03  1:14       ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports bfields
2020-12-03  1:14         ` [PATCH 2/2] mountd: never root squash on the pseudofs bfields
2020-12-26 19:32           ` Steve Dickson
2020-12-02 23:03 ` [PATCH 1/2] mountd: allow high ports on all pseudofs exports J. Bruce Fields

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.