lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240912130220.17032-3-pali@kernel.org>
Date: Thu, 12 Sep 2024 15:02:17 +0200
From: Pali Rohár <pali@...nel.org>
To: Trond Myklebust <trondmy@...nel.org>,
	Anna Schumaker <anna@...nel.org>
Cc: linux-nfs@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH 2/5] nfs: Propagate AUTH_NULL/AUTH_UNIX PATHCONF NFS3ERR_ACCESS failures

Linux NFS3 server returns NFS3ERR_ACCESS for PATHCONF procedure if
client-selected auth flavor is not enabled for export which is being
mounted. Ignoring this error results in choosing wrong auth flavor during
mount and so making the mount point inaccessible. It is because Linux NFS3
server allows to call other procedures used during mount time (FSINFO and
GETATTR) also with auth flavor which is explicitly disabled on particular
export.

This is particularly problem with mounting AUTH_NULL-only exports from
Linux NFS3 server as kernel client first try to use AUTH_UNIX auth flavor,
even when AUTH_UNIX is not announced by the MNTv3 server.

Do not propagate this failure for other auth methods, like GSS, as Linux
NFS3 server expects that accessing root export GSS dir may be done also by
other auth methods.

Signed-off-by: Pali Rohár <pali@...nel.org>
Cc: stable@...r.kernel.org
---
 fs/nfs/client.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8286edd6062d..5171ae112355 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -864,7 +864,19 @@ static int nfs_probe_fsinfo(struct nfs_server *server, struct nfs_fh *mntfh, str
 		pathinfo.fattr = fattr;
 		nfs_fattr_init(fattr);
 
-		if (clp->rpc_ops->pathconf(server, mntfh, &pathinfo) >= 0)
+		error = clp->rpc_ops->pathconf(server, mntfh, &pathinfo);
+		/*
+		 * Linux NFS3 server for PATHCONF procedure returns back error
+		 * NFS3ERR_ACCESS when selected auth flavor is not enabled for
+		 * export. For auth flavors without authentication (none and
+		 * sys) propagate error back to nfs_probe_server() caller and
+		 * allow to choose different auth flavor.
+		 */
+		if (error == -EACCES && (
+		     server->client->cl_auth->au_flavor == RPC_AUTH_UNIX ||
+		     server->client->cl_auth->au_flavor == RPC_AUTH_NULL))
+			return error;
+		else if (error >= 0)
 			server->namelen = pathinfo.max_namelen;
 	}
 
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ