提交 1269bc69 编写于 作者: J J. Bruce Fields 提交者: Linus Torvalds

knfsd: nfsd: enforce per-flavor id squashing

Allow root squashing to vary per-pseudoflavor, so that you can (for example)
allow root access only when sufficiently strong security is in use.
Signed-off-by: N"J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: NNeil Brown <neilb@suse.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 9091224f
...@@ -12,17 +12,31 @@ ...@@ -12,17 +12,31 @@
#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) #define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
static int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
{
struct exp_flavor_info *f;
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
for (f = exp->ex_flavors; f < end; f++) {
if (f->pseudoflavor == rqstp->rq_flavor)
return f->flags;
}
return exp->ex_flags;
}
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
{ {
struct svc_cred cred = rqstp->rq_cred; struct svc_cred cred = rqstp->rq_cred;
int i; int i;
int flags = nfsexp_flags(rqstp, exp);
int ret; int ret;
if (exp->ex_flags & NFSEXP_ALLSQUASH) { if (flags & NFSEXP_ALLSQUASH) {
cred.cr_uid = exp->ex_anon_uid; cred.cr_uid = exp->ex_anon_uid;
cred.cr_gid = exp->ex_anon_gid; cred.cr_gid = exp->ex_anon_gid;
cred.cr_group_info = groups_alloc(0); cred.cr_group_info = groups_alloc(0);
} else if (exp->ex_flags & NFSEXP_ROOTSQUASH) { } else if (flags & NFSEXP_ROOTSQUASH) {
struct group_info *gi; struct group_info *gi;
if (!cred.cr_uid) if (!cred.cr_uid)
cred.cr_uid = exp->ex_anon_uid; cred.cr_uid = exp->ex_anon_uid;
......
...@@ -43,7 +43,8 @@ ...@@ -43,7 +43,8 @@
#define NFSEXP_ALLFLAGS 0xFE3F #define NFSEXP_ALLFLAGS 0xFE3F
/* The flags that may vary depending on security flavor: */ /* The flags that may vary depending on security flavor: */
#define NFSEXP_SECINFO_FLAGS 0 #define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
| NFSEXP_ALLSQUASH)
#ifdef __KERNEL__ #ifdef __KERNEL__
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册