From: NeilBrown <neilb@suse.de>
To: Steve Dickson <SteveD@RedHat.com>
Cc: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: [PATCH 1/5] mountd: reject unknown client IP when !use_ipaddr.
Date: Thu, 25 Feb 2021 13:42:47 +1100 [thread overview]
Message-ID: <161422096786.28256.16255172827545591674.stgit@noble> (raw)
In-Reply-To: <161422077024.28256.15543036625096419495.stgit@noble>
From: NeilBrown <neil@brown.name>
When use_ipaddr is not in effect, an auth_unix_ip lookup request from
the kernel for an unknown client will be rejected.
When it IS in effect, these requests are always granted with the IP
address being mapped to a string form of the address, preceded by a '$'.
This is inconsistent behaviour and could present a small information
leak.
It means that, for example, a SETCLIENT NFSv4 request may or may not
succeed depending on an internal setting in rpc.mountd.
This is easily rectified by always checking if the client is known.
Signed-off-by: NeilBrown <neil@brown.name>
---
support/export/cache.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/support/export/cache.c b/support/export/cache.c
index f1569afb558c..156ebfd4087c 100644
--- a/support/export/cache.c
+++ b/support/export/cache.c
@@ -114,6 +114,7 @@ static void auth_unix_ip(int f)
char class[20];
char ipaddr[INET6_ADDRSTRLEN + 1];
char *client = NULL;
+ struct addrinfo *ai = NULL;
struct addrinfo *tmp = NULL;
char buf[RPC_CHAN_BUF_SIZE], *bp;
int blen;
@@ -139,21 +140,17 @@ static void auth_unix_ip(int f)
auth_reload();
- /* addr is a valid, interesting address, find the domain name... */
- if (!use_ipaddr) {
- struct addrinfo *ai = NULL;
-
- ai = client_resolve(tmp->ai_addr);
- if (ai) {
- client = client_compose(ai);
- nfs_freeaddrinfo(ai);
- }
+ /* addr is a valid address, find the domain name... */
+ ai = client_resolve(tmp->ai_addr);
+ if (ai) {
+ client = client_compose(ai);
+ nfs_freeaddrinfo(ai);
}
bp = buf; blen = sizeof(buf);
qword_add(&bp, &blen, "nfsd");
qword_add(&bp, &blen, ipaddr);
qword_adduint(&bp, &blen, time(0) + DEFAULT_TTL);
- if (use_ipaddr) {
+ if (use_ipaddr && client) {
memmove(ipaddr + 1, ipaddr, strlen(ipaddr) + 1);
ipaddr[0] = '$';
qword_add(&bp, &blen, ipaddr);
next prev parent reply other threads:[~2021-02-25 2:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 2:42 [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access NeilBrown
2021-02-25 2:42 ` [PATCH 5/5] mountd: make default ttl settable by option NeilBrown
2021-02-25 2:42 ` [PATCH 3/5] mountd: add logging for authentication results for accesses NeilBrown
2021-02-25 2:42 ` [PATCH 2/5] mountd: Don't proactively add export info when fh info is requested NeilBrown
2021-02-25 2:42 ` NeilBrown [this message]
2021-02-25 2:42 ` [PATCH 4/5] mountd: add --cache-use-ipaddr option to force use_ipaddr NeilBrown
2021-03-02 20:41 ` [PATCH 0/5] nfs-utils: provide audit-logging of NFSv4 access Steve Dickson
2021-03-03 22:28 ` NeilBrown
2021-03-04 13:24 ` Steve Dickson
2021-03-01 2:17 [PATCH 0/5 v2] " NeilBrown
2021-03-01 2:17 ` [PATCH 1/5] mountd: reject unknown client IP when !use_ipaddr NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161422096786.28256.16255172827545591674.stgit@noble \
--to=neilb@suse.de \
--cc=SteveD@RedHat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).