| Message ID | 20240912221917.23802-1-pali@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT | expand |
On Fri, 13 Sep 2024, Pali Rohár wrote: > Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass > only GSS, but bypass any authentication method. This is problem specially > for NFS3 AUTH_NULL-only exports. > > The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623, > section 2.3.2, to allow mounting NFS2/3 GSS-only export without > authentication. So few procedures which do not expose security risk used > during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow > client mount operation to finish successfully. > > The problem with current implementation is that for AUTH_NULL-only exports, > the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount > attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is > enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to > AUTH_NONE on active mount, which makes the mount inaccessible. > > Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation > and really allow to bypass only exports which have some GSS auth flavor > enabled. > > The result would be: For AUTH_NULL-only export if client attempts to do > mount with AUTH_UNIX flavor then it will receive access errors, which > instruct client that AUTH_UNIX flavor is not usable and will either try > other auth flavor (AUTH_NULL if enabled) or fails mount procedure. > > This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if > client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for > AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export). The MAY_BYPASS_GSS flag currently also bypasses TLS restrictions. With your change it doesn't. I don't think we want to make that change. I think that what you want to do makes sense. Higher security can be downgraded to AUTH_UNIX, but AUTH_NULL mustn't be upgraded to to AUTH_UNIX. Maybe that needs to be explicit in the code. The bypass is ONLY allowed for AUTH_UNIX and only if something other than AUTH_NULL is allowed. Thanks, NeilBrown > > Signed-off-by: Pali Rohár <pali@kernel.org> > --- > fs/nfsd/export.c | 19 ++++++++++++++++++- > fs/nfsd/export.h | 2 +- > fs/nfsd/nfs4proc.c | 2 +- > fs/nfsd/nfs4xdr.c | 2 +- > fs/nfsd/nfsfh.c | 12 +++++++++--- > fs/nfsd/vfs.c | 2 +- > 6 files changed, 31 insertions(+), 8 deletions(-) > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c > index 50b3135d07ac..eb11d3fdffe1 100644 > --- a/fs/nfsd/export.c > +++ b/fs/nfsd/export.c > @@ -1074,7 +1074,7 @@ static struct svc_export *exp_find(struct cache_detail *cd, > return exp; > } > > -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss) > { > struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; > struct svc_xprt *xprt = rqstp->rq_xprt; > @@ -1120,6 +1120,23 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > if (nfsd4_spo_must_allow(rqstp)) > return 0; > > + /* Some calls may be processed without authentication > + * on GSS exports. For example NFS2/3 calls on root > + * directory, see section 2.3.2 of rfc 2623. > + * For "may_bypass_gss" check that export has really > + * enabled some GSS flavor and also check that the > + * used auth flavor is without auth (none or sys). > + */ > + if (may_bypass_gss && ( > + rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || > + rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { > + for (f = exp->ex_flavors; f < end; f++) { > + if (f->pseudoflavor == RPC_AUTH_GSS || > + f->pseudoflavor >= RPC_AUTH_GSS_KRB5) > + return 0; > + } > + } > + > denied: > return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; > } > diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h > index ca9dc230ae3d..dc7cf4f6ac53 100644 > --- a/fs/nfsd/export.h > +++ b/fs/nfsd/export.h > @@ -100,7 +100,7 @@ struct svc_expkey { > #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) > > int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp); > -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); > +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss); > > /* > * Function declarations > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c > index 2e39cf2e502a..0f67f4a7b8b2 100644 > --- a/fs/nfsd/nfs4proc.c > +++ b/fs/nfsd/nfs4proc.c > @@ -2791,7 +2791,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) > > if (current_fh->fh_export && > need_wrongsec_check(rqstp)) > - op->status = check_nfsd_access(current_fh->fh_export, rqstp); > + op->status = check_nfsd_access(current_fh->fh_export, rqstp, false); > } > encode_op: > if (op->status == nfserr_replay_me) { > diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c > index 97f583777972..b45ea5757652 100644 > --- a/fs/nfsd/nfs4xdr.c > +++ b/fs/nfsd/nfs4xdr.c > @@ -3775,7 +3775,7 @@ nfsd4_encode_entry4_fattr(struct nfsd4_readdir *cd, const char *name, > nfserr = nfserrno(err); > goto out_put; > } > - nfserr = check_nfsd_access(exp, cd->rd_rqstp); > + nfserr = check_nfsd_access(exp, cd->rd_rqstp, false); > if (nfserr) > goto out_put; > > diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c > index dd4e11a703aa..ed0eabfa3cb0 100644 > --- a/fs/nfsd/nfsfh.c > +++ b/fs/nfsd/nfsfh.c > @@ -329,6 +329,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > { > struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); > struct svc_export *exp = NULL; > + bool may_bypass_gss = false; > struct dentry *dentry; > __be32 error; > > @@ -375,8 +376,13 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > * which clients virtually always use auth_sys for, > * even while using RPCSEC_GSS for NFS. > */ > - if (access & NFSD_MAY_LOCK || access & NFSD_MAY_BYPASS_GSS) > + if (access & NFSD_MAY_LOCK) > goto skip_pseudoflavor_check; > + /* > + * NFS4 PUTFH may bypass GSS (see nfsd4_putfh() in nfs4proc.c). > + */ > + if (access & NFSD_MAY_BYPASS_GSS) > + may_bypass_gss = true; > /* > * Clients may expect to be able to use auth_sys during mount, > * even if they use gss for everything else; see section 2.3.2 > @@ -384,9 +390,9 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > */ > if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT > && exp->ex_path.dentry == dentry) > - goto skip_pseudoflavor_check; > + may_bypass_gss = true; > > - error = check_nfsd_access(exp, rqstp); > + error = check_nfsd_access(exp, rqstp, may_bypass_gss); > if (error) > goto out; > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c > index 29b1f3613800..b2f5ea7c2187 100644 > --- a/fs/nfsd/vfs.c > +++ b/fs/nfsd/vfs.c > @@ -320,7 +320,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name, > err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry); > if (err) > return err; > - err = check_nfsd_access(exp, rqstp); > + err = check_nfsd_access(exp, rqstp, false); > if (err) > goto out; > /* > -- > 2.20.1 > >
On Friday 13 September 2024 08:52:20 NeilBrown wrote: > On Fri, 13 Sep 2024, Pali Rohár wrote: > > Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass > > only GSS, but bypass any authentication method. This is problem specially > > for NFS3 AUTH_NULL-only exports. > > > > The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623, > > section 2.3.2, to allow mounting NFS2/3 GSS-only export without > > authentication. So few procedures which do not expose security risk used > > during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow > > client mount operation to finish successfully. > > > > The problem with current implementation is that for AUTH_NULL-only exports, > > the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount > > attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is > > enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to > > AUTH_NONE on active mount, which makes the mount inaccessible. > > > > Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation > > and really allow to bypass only exports which have some GSS auth flavor > > enabled. > > > > The result would be: For AUTH_NULL-only export if client attempts to do > > mount with AUTH_UNIX flavor then it will receive access errors, which > > instruct client that AUTH_UNIX flavor is not usable and will either try > > other auth flavor (AUTH_NULL if enabled) or fails mount procedure. > > > > This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if > > client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for > > AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export). > > The MAY_BYPASS_GSS flag currently also bypasses TLS restrictions. With > your change it doesn't. I don't think we want to make that change. Ok. But this is not obvious really obvious ass the option has GSS in its name. > I think that what you want to do makes sense. Higher security can be > downgraded to AUTH_UNIX, but AUTH_NULL mustn't be upgraded to to > AUTH_UNIX. > > Maybe that needs to be explicit in the code. The bypass is ONLY allowed > for AUTH_UNIX and only if something other than AUTH_NULL is allowed. Ok, this sound good. > Thanks, > NeilBrown > > > > > > > Signed-off-by: Pali Rohár <pali@kernel.org> > > --- > > fs/nfsd/export.c | 19 ++++++++++++++++++- > > fs/nfsd/export.h | 2 +- > > fs/nfsd/nfs4proc.c | 2 +- > > fs/nfsd/nfs4xdr.c | 2 +- > > fs/nfsd/nfsfh.c | 12 +++++++++--- > > fs/nfsd/vfs.c | 2 +- > > 6 files changed, 31 insertions(+), 8 deletions(-) > > > > diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c > > index 50b3135d07ac..eb11d3fdffe1 100644 > > --- a/fs/nfsd/export.c > > +++ b/fs/nfsd/export.c > > @@ -1074,7 +1074,7 @@ static struct svc_export *exp_find(struct cache_detail *cd, > > return exp; > > } > > > > -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > > +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss) > > { > > struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; > > struct svc_xprt *xprt = rqstp->rq_xprt; > > @@ -1120,6 +1120,23 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) > > if (nfsd4_spo_must_allow(rqstp)) > > return 0; > > > > + /* Some calls may be processed without authentication > > + * on GSS exports. For example NFS2/3 calls on root > > + * directory, see section 2.3.2 of rfc 2623. > > + * For "may_bypass_gss" check that export has really > > + * enabled some GSS flavor and also check that the > > + * used auth flavor is without auth (none or sys). > > + */ > > + if (may_bypass_gss && ( > > + rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || > > + rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { > > + for (f = exp->ex_flavors; f < end; f++) { > > + if (f->pseudoflavor == RPC_AUTH_GSS || > > + f->pseudoflavor >= RPC_AUTH_GSS_KRB5) > > + return 0; > > + } > > + } > > + > > denied: > > return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; > > } > > diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h > > index ca9dc230ae3d..dc7cf4f6ac53 100644 > > --- a/fs/nfsd/export.h > > +++ b/fs/nfsd/export.h > > @@ -100,7 +100,7 @@ struct svc_expkey { > > #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) > > > > int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp); > > -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); > > +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss); > > > > /* > > * Function declarations > > diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c > > index 2e39cf2e502a..0f67f4a7b8b2 100644 > > --- a/fs/nfsd/nfs4proc.c > > +++ b/fs/nfsd/nfs4proc.c > > @@ -2791,7 +2791,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) > > > > if (current_fh->fh_export && > > need_wrongsec_check(rqstp)) > > - op->status = check_nfsd_access(current_fh->fh_export, rqstp); > > + op->status = check_nfsd_access(current_fh->fh_export, rqstp, false); > > } > > encode_op: > > if (op->status == nfserr_replay_me) { > > diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c > > index 97f583777972..b45ea5757652 100644 > > --- a/fs/nfsd/nfs4xdr.c > > +++ b/fs/nfsd/nfs4xdr.c > > @@ -3775,7 +3775,7 @@ nfsd4_encode_entry4_fattr(struct nfsd4_readdir *cd, const char *name, > > nfserr = nfserrno(err); > > goto out_put; > > } > > - nfserr = check_nfsd_access(exp, cd->rd_rqstp); > > + nfserr = check_nfsd_access(exp, cd->rd_rqstp, false); > > if (nfserr) > > goto out_put; > > > > diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c > > index dd4e11a703aa..ed0eabfa3cb0 100644 > > --- a/fs/nfsd/nfsfh.c > > +++ b/fs/nfsd/nfsfh.c > > @@ -329,6 +329,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > > { > > struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); > > struct svc_export *exp = NULL; > > + bool may_bypass_gss = false; > > struct dentry *dentry; > > __be32 error; > > > > @@ -375,8 +376,13 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > > * which clients virtually always use auth_sys for, > > * even while using RPCSEC_GSS for NFS. > > */ > > - if (access & NFSD_MAY_LOCK || access & NFSD_MAY_BYPASS_GSS) > > + if (access & NFSD_MAY_LOCK) > > goto skip_pseudoflavor_check; > > + /* > > + * NFS4 PUTFH may bypass GSS (see nfsd4_putfh() in nfs4proc.c). > > + */ > > + if (access & NFSD_MAY_BYPASS_GSS) > > + may_bypass_gss = true; > > /* > > * Clients may expect to be able to use auth_sys during mount, > > * even if they use gss for everything else; see section 2.3.2 > > @@ -384,9 +390,9 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) > > */ > > if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT > > && exp->ex_path.dentry == dentry) > > - goto skip_pseudoflavor_check; > > + may_bypass_gss = true; > > > > - error = check_nfsd_access(exp, rqstp); > > + error = check_nfsd_access(exp, rqstp, may_bypass_gss); > > if (error) > > goto out; > > > > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c > > index 29b1f3613800..b2f5ea7c2187 100644 > > --- a/fs/nfsd/vfs.c > > +++ b/fs/nfsd/vfs.c > > @@ -320,7 +320,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name, > > err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry); > > if (err) > > return err; > > - err = check_nfsd_access(exp, rqstp); > > + err = check_nfsd_access(exp, rqstp, false); > > if (err) > > goto out; > > /* > > -- > > 2.20.1 > > > > >
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c index 50b3135d07ac..eb11d3fdffe1 100644 --- a/fs/nfsd/export.c +++ b/fs/nfsd/export.c @@ -1074,7 +1074,7 @@ static struct svc_export *exp_find(struct cache_detail *cd, return exp; } -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss) { struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; struct svc_xprt *xprt = rqstp->rq_xprt; @@ -1120,6 +1120,23 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) if (nfsd4_spo_must_allow(rqstp)) return 0; + /* Some calls may be processed without authentication + * on GSS exports. For example NFS2/3 calls on root + * directory, see section 2.3.2 of rfc 2623. + * For "may_bypass_gss" check that export has really + * enabled some GSS flavor and also check that the + * used auth flavor is without auth (none or sys). + */ + if (may_bypass_gss && ( + rqstp->rq_cred.cr_flavor == RPC_AUTH_NULL || + rqstp->rq_cred.cr_flavor == RPC_AUTH_UNIX)) { + for (f = exp->ex_flavors; f < end; f++) { + if (f->pseudoflavor == RPC_AUTH_GSS || + f->pseudoflavor >= RPC_AUTH_GSS_KRB5) + return 0; + } + } + denied: return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; } diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h index ca9dc230ae3d..dc7cf4f6ac53 100644 --- a/fs/nfsd/export.h +++ b/fs/nfsd/export.h @@ -100,7 +100,7 @@ struct svc_expkey { #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp); -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss); /* * Function declarations diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 2e39cf2e502a..0f67f4a7b8b2 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -2791,7 +2791,7 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) if (current_fh->fh_export && need_wrongsec_check(rqstp)) - op->status = check_nfsd_access(current_fh->fh_export, rqstp); + op->status = check_nfsd_access(current_fh->fh_export, rqstp, false); } encode_op: if (op->status == nfserr_replay_me) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 97f583777972..b45ea5757652 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3775,7 +3775,7 @@ nfsd4_encode_entry4_fattr(struct nfsd4_readdir *cd, const char *name, nfserr = nfserrno(err); goto out_put; } - nfserr = check_nfsd_access(exp, cd->rd_rqstp); + nfserr = check_nfsd_access(exp, cd->rd_rqstp, false); if (nfserr) goto out_put; diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index dd4e11a703aa..ed0eabfa3cb0 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c @@ -329,6 +329,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) { struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); struct svc_export *exp = NULL; + bool may_bypass_gss = false; struct dentry *dentry; __be32 error; @@ -375,8 +376,13 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) * which clients virtually always use auth_sys for, * even while using RPCSEC_GSS for NFS. */ - if (access & NFSD_MAY_LOCK || access & NFSD_MAY_BYPASS_GSS) + if (access & NFSD_MAY_LOCK) goto skip_pseudoflavor_check; + /* + * NFS4 PUTFH may bypass GSS (see nfsd4_putfh() in nfs4proc.c). + */ + if (access & NFSD_MAY_BYPASS_GSS) + may_bypass_gss = true; /* * Clients may expect to be able to use auth_sys during mount, * even if they use gss for everything else; see section 2.3.2 @@ -384,9 +390,9 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) */ if (access & NFSD_MAY_BYPASS_GSS_ON_ROOT && exp->ex_path.dentry == dentry) - goto skip_pseudoflavor_check; + may_bypass_gss = true; - error = check_nfsd_access(exp, rqstp); + error = check_nfsd_access(exp, rqstp, may_bypass_gss); if (error) goto out; diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 29b1f3613800..b2f5ea7c2187 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -320,7 +320,7 @@ nfsd_lookup(struct svc_rqst *rqstp, struct svc_fh *fhp, const char *name, err = nfsd_lookup_dentry(rqstp, fhp, name, len, &exp, &dentry); if (err) return err; - err = check_nfsd_access(exp, rqstp); + err = check_nfsd_access(exp, rqstp, false); if (err) goto out; /*
Currently NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT do not bypass only GSS, but bypass any authentication method. This is problem specially for NFS3 AUTH_NULL-only exports. The purpose of NFSD_MAY_BYPASS_GSS_ON_ROOT is described in RFC 2623, section 2.3.2, to allow mounting NFS2/3 GSS-only export without authentication. So few procedures which do not expose security risk used during mount time can be called also with AUTH_NONE or AUTH_SYS, to allow client mount operation to finish successfully. The problem with current implementation is that for AUTH_NULL-only exports, the NFSD_MAY_BYPASS_GSS_ON_ROOT is active also for NFS3 AUTH_UNIX mount attempts which confuse NFS3 clients, and make them think that AUTH_UNIX is enabled and is working. Linux NFS3 client never switches from AUTH_UNIX to AUTH_NONE on active mount, which makes the mount inaccessible. Fix the NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT implementation and really allow to bypass only exports which have some GSS auth flavor enabled. The result would be: For AUTH_NULL-only export if client attempts to do mount with AUTH_UNIX flavor then it will receive access errors, which instruct client that AUTH_UNIX flavor is not usable and will either try other auth flavor (AUTH_NULL if enabled) or fails mount procedure. This should fix problems with AUTH_NULL-only or AUTH_UNIX-only exports if client attempts to mount it with other auth flavor (e.g. with AUTH_NULL for AUTH_UNIX-only export, or with AUTH_UNIX for AUTH_NULL-only export). Signed-off-by: Pali Rohár <pali@kernel.org> --- fs/nfsd/export.c | 19 ++++++++++++++++++- fs/nfsd/export.h | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfsfh.c | 12 +++++++++--- fs/nfsd/vfs.c | 2 +- 6 files changed, 31 insertions(+), 8 deletions(-)