diff mbox series

[1/2] mountd: allow high ports on all pseudofs exports

Message ID 1606949804-31417-1-git-send-email-bfields@fieldses.org (mailing list archive)
State New, archived
Headers show
Series [1/2] mountd: allow high ports on all pseudofs exports | expand

Commit Message

J. Bruce Fields Dec. 2, 2020, 10:56 p.m. UTC 
From: "J. Bruce Fields" <bfields@redhat.com>

We originally tried to grant permissions on the v4 pseudoroot filesystem
that were the absolute minimum required for a client to reach a given
export.  This turns out to be complicated, and we've never gotten it
quite right.  Also, the tradition from the MNT protocol was to allow
anyone to browse the list of exports.

So, do as we already did with security flavors and just allow clients
from high ports to access the whole pseudofilesystem.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/mountd/v4root.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

Comments

J. Bruce Fields Dec. 2, 2020, 11:03 p.m. UTC | #1 
On Wed, Dec 02, 2020 at 05:56:43PM -0500, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> We originally tried to grant permissions on the v4 pseudoroot filesystem
> that were the absolute minimum required for a client to reach a given
> export.  This turns out to be complicated, and we've never gotten it
> quite right.  Also, the tradition from the MNT protocol was to allow
> anyone to browse the list of exports.
> 
> So, do as we already did with security flavors and just allow clients
> from high ports to access the whole pseudofilesystem.

Oh, except then we may as well also remove this "flags" parameter.

--b.

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index 36543401f296..f6eb126660f3 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -55,7 +55,7 @@ static nfs_export pseudo_root = {
 };
 
 static void
-set_pseudofs_security(struct exportent *pseudo, int flags)
+set_pseudofs_security(struct exportent *pseudo)
 {
 	struct flav_info *flav;
 	int i;
@@ -85,7 +85,7 @@ v4root_create(char *path, nfs_export *export)
 	strncpy(eep.e_path, path, sizeof(eep.e_path)-1);
 	if (strcmp(path, "/") != 0)
 		eep.e_flags &= ~NFSEXP_FSID;
-	set_pseudofs_security(&eep, curexp->e_flags);
+	set_pseudofs_security(&eep);
 	exp = export_create(&eep, 0);
 	if (exp == NULL)
 		return NULL;
@@ -133,7 +133,7 @@ pseudofs_update(char *hostname, char *path, nfs_export *source)
 		return 0;
 	}
 	/* Update an existing V4ROOT export: */
-	set_pseudofs_security(&exp->m_export, source->m_export.e_flags);
+	set_pseudofs_security(&exp->m_export);
 	return 0;
 }
diff mbox series

Patch

diff --git a/utils/mountd/v4root.c b/utils/mountd/v4root.c
index a9ea167a07e0..2ac4e87898c0 100644
--- a/utils/mountd/v4root.c
+++ b/utils/mountd/v4root.c
@@ -36,7 +36,7 @@  static nfs_export pseudo_root = {
 		.e_path = "/",
 		.e_flags = NFSEXP_READONLY | NFSEXP_ROOTSQUASH
 				| NFSEXP_NOSUBTREECHECK | NFSEXP_FSID
-				| NFSEXP_V4ROOT,
+				| NFSEXP_V4ROOT | NFSEXP_INSECURE_PORT,
 		.e_anonuid = 65534,
 		.e_anongid = 65534,
 		.e_squids = NULL,
@@ -60,8 +60,6 @@  set_pseudofs_security(struct exportent *pseudo, int flags)
 	struct flav_info *flav;
 	int i;
 
-	if (flags & NFSEXP_INSECURE_PORT)
-		pseudo->e_flags |= NFSEXP_INSECURE_PORT;
 	if ((flags & NFSEXP_ROOTSQUASH) == 0)
 		pseudo->e_flags &= ~NFSEXP_ROOTSQUASH;
 	for (flav = flav_map; flav < flav_map + flav_map_size; flav++) {
@@ -70,8 +68,7 @@  set_pseudofs_security(struct exportent *pseudo, int flags)
 		i = secinfo_addflavor(flav, pseudo);
 		new = &pseudo->e_secinfo[i];
 
-		if (flags & NFSEXP_INSECURE_PORT)
-			new->flags |= NFSEXP_INSECURE_PORT;
+		new->flags |= NFSEXP_INSECURE_PORT;
 	}
 }