Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1269bc69 authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Linus Torvalds
Browse files

knfsd: nfsd: enforce per-flavor id squashing 



Allow root squashing to vary per-pseudoflavor, so that you can (for example)
allow root access only when sufficiently strong security is in use.

Signed-off-by: default avatar"J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: default avatarNeil Brown <neilb@suse.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 9091224f

fs/nfsd/auth.c

+16 −2
Original line number Diff line number Diff line
@@ -12,17 +12,31 @@ 


#define	CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))



static int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)

{

	struct exp_flavor_info *f;

	struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;



	for (f = exp->ex_flavors; f < end; f++) {

		if (f->pseudoflavor == rqstp->rq_flavor)

			return f->flags;

	}

	return exp->ex_flags;



}



int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)

{

	struct svc_cred	cred = rqstp->rq_cred;

	int i;

	int flags = nfsexp_flags(rqstp, exp);

	int ret;



	if (exp->ex_flags & NFSEXP_ALLSQUASH) {

	if (flags & NFSEXP_ALLSQUASH) {

		cred.cr_uid = exp->ex_anon_uid;

		cred.cr_gid = exp->ex_anon_gid;

		cred.cr_group_info = groups_alloc(0);

	} else if (exp->ex_flags & NFSEXP_ROOTSQUASH) {

	} else if (flags & NFSEXP_ROOTSQUASH) {

		struct group_info *gi;

		if (!cred.cr_uid)

			cred.cr_uid = exp->ex_anon_uid;

include/linux/nfsd/export.h

+2 −1
Original line number Diff line number Diff line
@@ -43,7 +43,8 @@ 
#define NFSEXP_ALLFLAGS		0xFE3F



/* The flags that may vary depending on security flavor: */

#define NFSEXP_SECINFO_FLAGS	0

#define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \

					| NFSEXP_ALLSQUASH)



#ifdef __KERNEL__