From patchwork Thu Mar  8 21:26:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "J. Bruce Fields" <bfields@fieldses.org>
X-Patchwork-Id: 10269233
Return-Path: <linux-nfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	39F29602BD for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu,  8 Mar 2018 21:26:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2907729B71
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu,  8 Mar 2018 21:26:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1D81329B74; Thu,  8 Mar 2018 21:26:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ABDA829B71
	for <patchwork-linux-nfs@patchwork.kernel.org>;
	Thu,  8 Mar 2018 21:26:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750993AbeCHV0E (ORCPT
	<rfc822;patchwork-linux-nfs@patchwork.kernel.org>);
	Thu, 8 Mar 2018 16:26:04 -0500
Received: from fieldses.org ([173.255.197.46]:44222 "EHLO fieldses.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750885AbeCHV0B (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
	Thu, 8 Mar 2018 16:26:01 -0500
Received: by fieldses.org (Postfix, from userid 2815)
	id 959E6254F; Thu,  8 Mar 2018 16:26:00 -0500 (EST)
Date: Thu, 8 Mar 2018 16:26:00 -0500
From: "J. Bruce Fields" <bfields@fieldses.org>
To: Chuck Lever <chucklever@gmail.com>
Cc: Guillem Jover <gjover@sipwise.com>,
	libtirpc List <libtirpc-devel@lists.sourceforge.net>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] Do not bind to reserved ports registered in
	/etc/services
Message-ID: <20180308212600.GB16485@fieldses.org>
References: <20180110004920.11100-1-gjover@sipwise.com>
	<e18f29cd-639d-be9d-ee93-80df592468db@RedHat.com>
	<20180112184151.GA10261@thunder.hadrons.org>
	<9a53753a-56bf-12b5-f328-ff1f3a72249d@talpey.com>
	<CAFMMQGv03UmmsyXF4BOrwgW9ngpeO=dLjv=Qt=YiPpvgxfo85A@mail.gmail.com>
	<D9BFFDFE-B80F-4220-9A54-F09F882BD0A1@gmail.com>
	<CAFMMQGtt_u19RoCyQAQEaSZRXu3WQ-YSKu4u1BtKtJnaTQbKYw@mail.gmail.com>
	<20180308202423.GA16485@fieldses.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20180308202423.GA16485@fieldses.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Thu, Mar 08, 2018 at 03:24:23PM -0500, bfields wrote:
> Looks like knfsd's not helpful here, though: the export option
> ("secure"/"insecure") defaults to "secure", which always requires a low
> port.  It should be easy to modify "secure" to mean "require low ports
> only for auth_sys/auth_null", and that's probably the right thing to do.

Disclaimer: totally untested.

--b.

commit ddc2a5f5ce98
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Thu Mar 8 15:49:48 2018 -0500

    nfsd: don't require low ports for gss requests
    
    In a traditional NFS deployment using auth_unix, the clients are trusted
    to correctly report the credentials of their logged-in users.  The
    server assumes that only root on client machines is allowed to send
    requests from low-numbered ports, so it can use the originating port
    number to distinguish "real" NFS clients from NFS clients run by
    ordinary users, to prevent ordinary users from spoofing credentials.
    
    The originating port number on a gss-authenticated request is less
    important.  The authentication ties the request to a user, and we take
    it as proof that that user authorized the request.  The low port number
    check no longer adds much.
    
    So, don't enforce low port numbers in the auth_gss case.
    
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c
index 8aa011820c4a..764e6cae6533 100644
--- a/fs/nfsd/nfsfh.c
+++ b/fs/nfsd/nfsfh.c
@@ -87,13 +87,23 @@ nfsd_mode_check(struct svc_rqst *rqstp, struct dentry *dentry,
 	return nfserr_inval;
 }
 
+static bool nfsd_originating_port_ok(struct svc_rqst *rqstp, int flags)
+{
+	if (flags & NFSEXP_INSECURE_PORT)
+		return true;
+	/* We don't require gss requests to use low ports: */
+	if (rqstp->rq_cred.cr_flavor >= RPC_AUTH_GSS)
+		return true;
+	return test_bit(RQ_SECURE, &rqstp->rq_flags);
+}
+
 static __be32 nfsd_setuser_and_check_port(struct svc_rqst *rqstp,
 					  struct svc_export *exp)
 {
 	int flags = nfsexp_flags(rqstp, exp);
 
 	/* Check if the request originated from a secure port. */
-	if (!test_bit(RQ_SECURE, &rqstp->rq_flags) && !(flags & NFSEXP_INSECURE_PORT)) {
+	if (!nfsd_originating_port_ok(rqstp, flags)) {
 		RPC_IFDEBUG(char buf[RPC_MAX_ADDRBUFLEN]);
 		dprintk("nfsd: request from insecure port %s!\n",
 		        svc_print_addr(rqstp, buf, sizeof(buf)));