diff mbox

nfsd: allow secinfo to bypass gss checks

Message ID 20110630184704.GD18713@fieldses.org (mailing list archive)
State New, archived
Headers show

Commit Message

J. Bruce Fields June 30, 2011, 6:47 p.m. UTC 
Also planning to queue this up for 3.1....  Objections?

commit ea53eb9a87848610f1a2465881d8ef6ab6c62c59
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Wed Jun 29 18:33:11 2011 -0400

    nfsd: allow secinfo to bypass gss checks
    
    PUTFH+SECINFO should succeed and return a security list even when using
    an authentication flavor not permitted on the given filehandle.
    
    There's the risk of a small information leak here: as part of the
    SECINFO, we have to do a lookup.  If that lookup fails, we return the
    error from that lookup instead of a secinfo list.  That allows an
    unprivileged user to answer the question "does a file named $x exist in
    directory $d" by guessing a filehandle for $d and then sending a secinfo
    request for $x and seeing whether or not they get NFS4ERR_NOENT.
    
    To avoid that, we return secinfo for the parent in the NOENT case.
    
    Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
index 96b6929..4f9c90b 100644
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -762,19 +762,34 @@  nfsd4_secinfo(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
 	__be32 err;
 
 	fh_init(&resfh, NFS4_FHSIZE);
-	err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR, NFSD_MAY_EXEC);
+	err = fh_verify(rqstp, &cstate->current_fh, S_IFDIR,
+					NFSD_MAY_EXEC|NFSD_MAY_BYPASS_GSS);
 	if (err)
 		return err;
+	/*
+	 * XXX: arguably we should do this with elevated privileges, to
+	 * ensure consistent results regardless of the cred used by the
+	 * client:
+	 */
 	err = nfsd_lookup_dentry(rqstp, &cstate->current_fh,
 				    secinfo->si_name, secinfo->si_namelen,
 				    &exp, &dentry);
 	if (err)
 		return err;
 	if (dentry->d_inode == NULL) {
+		/*
+		 * An nfserr_noent return would tell the rpc caller
+		 * (who may be unprivileged) that a file by that name
+		 * does not exist in this directory.  That may be
+		 * information we don't want to give out.  So return
+		 * secinfo list for the parent in that case instead of
+		 * failing here.
+		 */
 		exp_put(exp);
-		err = nfserr_noent;
-	} else
-		secinfo->si_exp = exp;
+		exp = cstate->current_fh.fh_export;
+		exp_get(exp);
+	}
+	secinfo->si_exp = exp;
 	dput(dentry);
 	if (cstate->minorversion)
 		/* See rfc 5661 section 2.6.3.1.1.8 */