mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-07 09:00:28 +00:00
nfsserver: Fix handling of SP4_NONE
For NFSv4.1/4.2, when the client specifies SP4_NONE for state protection in the ExchangeID operation arguments, the server MUST allow the state management operations for any user credentials. (I misread the RFC and thought that SP4_NONE meant "at the server's discression" and not MUST be allowed.) This means that the "sec=XXX" field of the "V4:" exports(5) line only applies to NFSv4.0. This patch fixes the server to always allow state management operations for SP4_NONE, which is the only state management option currently supported. (I have patches that add support for SP4_MACH_CRED to the server. These will be in a future commit.) In practice, this bug does not seem to have caused interoperability problems. MFC after: 2 weeks
This commit is contained in:
parent
f97a19ecb9
commit
5a0050e68a
|
@ -5867,12 +5867,17 @@ nfsrv_throwawayopens(NFSPROC_T *p)
|
|||
|
||||
/*
|
||||
* This function checks to see if the credentials are the same.
|
||||
* Returns 1 for not same, 0 otherwise.
|
||||
* The check for same credentials is needed for state management operations
|
||||
* for NFSv4.0 where 1 is returned if not same, 0 is returned otherwise.
|
||||
*/
|
||||
static int
|
||||
nfsrv_notsamecredname(struct nfsrv_descript *nd, struct nfsclient *clp)
|
||||
{
|
||||
|
||||
/* For NFSv4.1/4.2, SP4_NONE always allows this. */
|
||||
if ((nd->nd_flag & ND_NFSV41) != 0)
|
||||
return (0);
|
||||
|
||||
if (nd->nd_flag & ND_GSS) {
|
||||
if (!(clp->lc_flags & LCL_GSS))
|
||||
return (1);
|
||||
|
|
|
@ -2121,6 +2121,14 @@ nfsd_checkrootexp(struct nfsrv_descript *nd)
|
|||
|
||||
if (nfs_rootfhset == 0)
|
||||
return (NFSERR_AUTHERR | AUTH_FAILED);
|
||||
/*
|
||||
* For NFSv4.1/4.2, if the client specifies SP4_NONE, then these
|
||||
* operations are allowed regardless of the value of the "sec=XXX"
|
||||
* field in the V4: exports line.
|
||||
* As such, these Kerberos checks only apply to NFSv4.0 mounts.
|
||||
*/
|
||||
if ((nd->nd_flag & ND_NFSV41) != 0)
|
||||
goto checktls;
|
||||
if ((nd->nd_flag & (ND_GSS | ND_EXAUTHSYS)) == ND_EXAUTHSYS)
|
||||
goto checktls;
|
||||
if ((nd->nd_flag & (ND_GSSINTEGRITY | ND_EXGSSINTEGRITY)) ==
|
||||
|
|
Loading…
Reference in a new issue