NFSv4: Fix security auto-negotiation

NFSv4 security auto-negotiation has been broken since
commit 4580a92d44 (NFS:
Use server-recommended security flavor by default (NFSv3))
because nfs4_try_mount() will automatically select AUTH_SYS
if it sees no auth flavours.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Trond Myklebust 2013-09-07 12:58:57 -04:00
parent 19e7b8d240
commit 5e6b19901b
6 changed files with 30 additions and 18 deletions

View file

@ -358,7 +358,7 @@ extern struct dentry *nfs_get_root(struct super_block *, struct nfs_fh *,
extern struct dentry *nfs4_get_root(struct super_block *, struct nfs_fh *, extern struct dentry *nfs4_get_root(struct super_block *, struct nfs_fh *,
const char *); const char *);
extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh); extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool);
#endif #endif
struct nfs_pgio_completion_ops; struct nfs_pgio_completion_ops;

View file

@ -221,7 +221,7 @@ struct vfsmount *nfs4_submount(struct nfs_server *, struct dentry *,
/* nfs4proc.c */ /* nfs4proc.c */
extern int nfs4_proc_setclientid(struct nfs_client *, u32, unsigned short, struct rpc_cred *, struct nfs4_setclientid_res *); extern int nfs4_proc_setclientid(struct nfs_client *, u32, unsigned short, struct rpc_cred *, struct nfs4_setclientid_res *);
extern int nfs4_proc_setclientid_confirm(struct nfs_client *, struct nfs4_setclientid_res *arg, struct rpc_cred *); extern int nfs4_proc_setclientid_confirm(struct nfs_client *, struct nfs4_setclientid_res *arg, struct rpc_cred *);
extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *); extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *, bool);
extern int nfs4_proc_bind_conn_to_session(struct nfs_client *, struct rpc_cred *cred); extern int nfs4_proc_bind_conn_to_session(struct nfs_client *, struct rpc_cred *cred);
extern int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred); extern int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred);
extern int nfs4_destroy_clientid(struct nfs_client *clp); extern int nfs4_destroy_clientid(struct nfs_client *clp);

View file

@ -885,7 +885,7 @@ static void nfs4_session_set_rwsize(struct nfs_server *server)
} }
static int nfs4_server_common_setup(struct nfs_server *server, static int nfs4_server_common_setup(struct nfs_server *server,
struct nfs_fh *mntfh) struct nfs_fh *mntfh, bool auth_probe)
{ {
struct nfs_fattr *fattr; struct nfs_fattr *fattr;
int error; int error;
@ -917,7 +917,7 @@ static int nfs4_server_common_setup(struct nfs_server *server,
/* Probe the root fh to retrieve its FSID and filehandle */ /* Probe the root fh to retrieve its FSID and filehandle */
error = nfs4_get_rootfh(server, mntfh); error = nfs4_get_rootfh(server, mntfh, auth_probe);
if (error < 0) if (error < 0)
goto out; goto out;
@ -949,6 +949,7 @@ out:
static int nfs4_init_server(struct nfs_server *server, static int nfs4_init_server(struct nfs_server *server,
const struct nfs_parsed_mount_data *data) const struct nfs_parsed_mount_data *data)
{ {
rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
struct rpc_timeout timeparms; struct rpc_timeout timeparms;
int error; int error;
@ -961,13 +962,16 @@ static int nfs4_init_server(struct nfs_server *server,
server->flags = data->flags; server->flags = data->flags;
server->options = data->options; server->options = data->options;
if (data->auth_flavor_len >= 1)
pseudoflavor = data->auth_flavors[0];
/* Get a client record */ /* Get a client record */
error = nfs4_set_client(server, error = nfs4_set_client(server,
data->nfs_server.hostname, data->nfs_server.hostname,
(const struct sockaddr *)&data->nfs_server.address, (const struct sockaddr *)&data->nfs_server.address,
data->nfs_server.addrlen, data->nfs_server.addrlen,
data->client_address, data->client_address,
data->auth_flavors[0], pseudoflavor,
data->nfs_server.protocol, data->nfs_server.protocol,
&timeparms, &timeparms,
data->minorversion, data->minorversion,
@ -987,7 +991,7 @@ static int nfs4_init_server(struct nfs_server *server,
server->port = data->nfs_server.port; server->port = data->nfs_server.port;
error = nfs_init_server_rpcclient(server, &timeparms, data->auth_flavors[0]); error = nfs_init_server_rpcclient(server, &timeparms, pseudoflavor);
error: error:
/* Done */ /* Done */
@ -1005,6 +1009,7 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
struct nfs_subversion *nfs_mod) struct nfs_subversion *nfs_mod)
{ {
struct nfs_server *server; struct nfs_server *server;
bool auth_probe;
int error; int error;
dprintk("--> nfs4_create_server()\n"); dprintk("--> nfs4_create_server()\n");
@ -1013,12 +1018,14 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
if (!server) if (!server)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
auth_probe = mount_info->parsed->auth_flavor_len < 1;
/* set up the general RPC client */ /* set up the general RPC client */
error = nfs4_init_server(server, mount_info->parsed); error = nfs4_init_server(server, mount_info->parsed);
if (error < 0) if (error < 0)
goto error; goto error;
error = nfs4_server_common_setup(server, mount_info->mntfh); error = nfs4_server_common_setup(server, mount_info->mntfh, auth_probe);
if (error < 0) if (error < 0)
goto error; goto error;
@ -1071,7 +1078,7 @@ struct nfs_server *nfs4_create_referral_server(struct nfs_clone_mount *data,
if (error < 0) if (error < 0)
goto error; goto error;
error = nfs4_server_common_setup(server, mntfh); error = nfs4_server_common_setup(server, mntfh, false);
if (error < 0) if (error < 0)
goto error; goto error;

View file

@ -9,7 +9,7 @@
#define NFSDBG_FACILITY NFSDBG_CLIENT #define NFSDBG_FACILITY NFSDBG_CLIENT
int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh) int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool auth_probe)
{ {
struct nfs_fsinfo fsinfo; struct nfs_fsinfo fsinfo;
int ret = -ENOMEM; int ret = -ENOMEM;
@ -21,7 +21,7 @@ int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh)
goto out; goto out;
/* Start by getting the root filehandle from the server */ /* Start by getting the root filehandle from the server */
ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo); ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo, auth_probe);
if (ret < 0) { if (ret < 0) {
dprintk("nfs4_get_rootfh: getroot error = %d\n", -ret); dprintk("nfs4_get_rootfh: getroot error = %d\n", -ret);
goto out; goto out;

View file

@ -2884,18 +2884,27 @@ static int nfs4_do_find_root_sec(struct nfs_server *server,
* @server: initialized nfs_server handle * @server: initialized nfs_server handle
* @fhandle: we fill in the pseudo-fs root file handle * @fhandle: we fill in the pseudo-fs root file handle
* @info: we fill in an FSINFO struct * @info: we fill in an FSINFO struct
* @auth_probe: probe the auth flavours
* *
* Returns zero on success, or a negative errno. * Returns zero on success, or a negative errno.
*/ */
int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle, int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle,
struct nfs_fsinfo *info) struct nfs_fsinfo *info,
bool auth_probe)
{ {
int status; int status;
switch (auth_probe) {
case false:
status = nfs4_lookup_root(server, fhandle, info); status = nfs4_lookup_root(server, fhandle, info);
if ((status == -NFS4ERR_WRONGSEC) && if (status != -NFS4ERR_WRONGSEC)
!(server->flags & NFS_MOUNT_SECFLAVOUR)) break;
/* Did user force a 'sec=' mount option? */
if (server->flags & NFS_MOUNT_SECFLAVOUR)
break;
default:
status = nfs4_do_find_root_sec(server, fhandle, info); status = nfs4_do_find_root_sec(server, fhandle, info);
}
if (status == 0) if (status == 0)
status = nfs4_server_capabilities(server, fhandle); status = nfs4_server_capabilities(server, fhandle);

View file

@ -253,10 +253,6 @@ struct dentry *nfs4_try_mount(int flags, const char *dev_name,
dfprintk(MOUNT, "--> nfs4_try_mount()\n"); dfprintk(MOUNT, "--> nfs4_try_mount()\n");
if (data->auth_flavor_len < 1) {
data->auth_flavors[0] = RPC_AUTH_UNIX;
data->auth_flavor_len = 1;
}
export_path = data->nfs_server.export_path; export_path = data->nfs_server.export_path;
data->nfs_server.export_path = "/"; data->nfs_server.export_path = "/";
root_mnt = nfs_do_root_mount(&nfs4_remote_fs_type, flags, mount_info, root_mnt = nfs_do_root_mount(&nfs4_remote_fs_type, flags, mount_info,