tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
knfsd: nfsd: enforce per-flavor id squashing
Allow root squashing to vary per-pseudoflavor, so that you can (for example)
allow root access only when sufficiently strong security is in use.
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
authored by
J. Bruce Fields
and committed by
Linus Torvalds
1269bc69
9091224f
+18
-3
+16
-2
fs/nfsd/auth.c
+16
-2
fs/nfsd/auth.c
···
12
12
13
13
#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
14
14
15
+
static int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
16
+
{
17
+
struct exp_flavor_info *f;
18
+
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
19
+
20
+
for (f = exp->ex_flavors; f < end; f++) {
21
+
if (f->pseudoflavor == rqstp->rq_flavor)
22
+
return f->flags;
23
+
}
24
+
return exp->ex_flags;
25
+
26
+
}
27
+
15
28
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
16
29
{
17
30
struct svc_cred cred = rqstp->rq_cred;
18
31
int i;
32
+
int flags = nfsexp_flags(rqstp, exp);
19
33
int ret;
20
34
21
-
if (exp->ex_flags & NFSEXP_ALLSQUASH) {
35
+
if (flags & NFSEXP_ALLSQUASH) {
22
36
cred.cr_uid = exp->ex_anon_uid;
23
37
cred.cr_gid = exp->ex_anon_gid;
24
38
cred.cr_group_info = groups_alloc(0);
25
-
} else if (exp->ex_flags & NFSEXP_ROOTSQUASH) {
39
+
} else if (flags & NFSEXP_ROOTSQUASH) {
26
40
struct group_info *gi;
27
41
if (!cred.cr_uid)
28
42
cred.cr_uid = exp->ex_anon_uid;
+2
-1
include/linux/nfsd/export.h
+2
-1
include/linux/nfsd/export.h