Commit 5e6b1990 authored by Trond Myklebust's avatar Trond Myklebust

NFSv4: Fix security auto-negotiation

NFSv4 security auto-negotiation has been broken since
commit 4580a92d (NFS:
Use server-recommended security flavor by default (NFSv3))
because nfs4_try_mount() will automatically select AUTH_SYS
if it sees no auth flavours.
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
Cc: Chuck Lever <chuck.lever@oracle.com>
parent 19e7b8d2
......@@ -358,7 +358,7 @@ extern struct dentry *nfs_get_root(struct super_block *, struct nfs_fh *,
extern struct dentry *nfs4_get_root(struct super_block *, struct nfs_fh *,
const char *);
extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh);
extern int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool);
#endif
struct nfs_pgio_completion_ops;
......
......@@ -221,7 +221,7 @@ struct vfsmount *nfs4_submount(struct nfs_server *, struct dentry *,
/* nfs4proc.c */
extern int nfs4_proc_setclientid(struct nfs_client *, u32, unsigned short, struct rpc_cred *, struct nfs4_setclientid_res *);
extern int nfs4_proc_setclientid_confirm(struct nfs_client *, struct nfs4_setclientid_res *arg, struct rpc_cred *);
extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *);
extern int nfs4_proc_get_rootfh(struct nfs_server *, struct nfs_fh *, struct nfs_fsinfo *, bool);
extern int nfs4_proc_bind_conn_to_session(struct nfs_client *, struct rpc_cred *cred);
extern int nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred);
extern int nfs4_destroy_clientid(struct nfs_client *clp);
......
......@@ -885,7 +885,7 @@ static void nfs4_session_set_rwsize(struct nfs_server *server)
}
static int nfs4_server_common_setup(struct nfs_server *server,
struct nfs_fh *mntfh)
struct nfs_fh *mntfh, bool auth_probe)
{
struct nfs_fattr *fattr;
int error;
......@@ -917,7 +917,7 @@ static int nfs4_server_common_setup(struct nfs_server *server,
/* Probe the root fh to retrieve its FSID and filehandle */
error = nfs4_get_rootfh(server, mntfh);
error = nfs4_get_rootfh(server, mntfh, auth_probe);
if (error < 0)
goto out;
......@@ -949,6 +949,7 @@ static int nfs4_server_common_setup(struct nfs_server *server,
static int nfs4_init_server(struct nfs_server *server,
const struct nfs_parsed_mount_data *data)
{
rpc_authflavor_t pseudoflavor = RPC_AUTH_UNIX;
struct rpc_timeout timeparms;
int error;
......@@ -961,13 +962,16 @@ static int nfs4_init_server(struct nfs_server *server,
server->flags = data->flags;
server->options = data->options;
if (data->auth_flavor_len >= 1)
pseudoflavor = data->auth_flavors[0];
/* Get a client record */
error = nfs4_set_client(server,
data->nfs_server.hostname,
(const struct sockaddr *)&data->nfs_server.address,
data->nfs_server.addrlen,
data->client_address,
data->auth_flavors[0],
pseudoflavor,
data->nfs_server.protocol,
&timeparms,
data->minorversion,
......@@ -987,7 +991,7 @@ static int nfs4_init_server(struct nfs_server *server,
server->port = data->nfs_server.port;
error = nfs_init_server_rpcclient(server, &timeparms, data->auth_flavors[0]);
error = nfs_init_server_rpcclient(server, &timeparms, pseudoflavor);
error:
/* Done */
......@@ -1005,6 +1009,7 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
struct nfs_subversion *nfs_mod)
{
struct nfs_server *server;
bool auth_probe;
int error;
dprintk("--> nfs4_create_server()\n");
......@@ -1013,12 +1018,14 @@ struct nfs_server *nfs4_create_server(struct nfs_mount_info *mount_info,
if (!server)
return ERR_PTR(-ENOMEM);
auth_probe = mount_info->parsed->auth_flavor_len < 1;
/* set up the general RPC client */
error = nfs4_init_server(server, mount_info->parsed);
if (error < 0)
goto error;
error = nfs4_server_common_setup(server, mount_info->mntfh);
error = nfs4_server_common_setup(server, mount_info->mntfh, auth_probe);
if (error < 0)
goto error;
......@@ -1071,7 +1078,7 @@ struct nfs_server *nfs4_create_referral_server(struct nfs_clone_mount *data,
if (error < 0)
goto error;
error = nfs4_server_common_setup(server, mntfh);
error = nfs4_server_common_setup(server, mntfh, false);
if (error < 0)
goto error;
......
......@@ -9,7 +9,7 @@
#define NFSDBG_FACILITY NFSDBG_CLIENT
int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh)
int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh, bool auth_probe)
{
struct nfs_fsinfo fsinfo;
int ret = -ENOMEM;
......@@ -21,7 +21,7 @@ int nfs4_get_rootfh(struct nfs_server *server, struct nfs_fh *mntfh)
goto out;
/* Start by getting the root filehandle from the server */
ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo);
ret = nfs4_proc_get_rootfh(server, mntfh, &fsinfo, auth_probe);
if (ret < 0) {
dprintk("nfs4_get_rootfh: getroot error = %d\n", -ret);
goto out;
......
......@@ -2884,18 +2884,27 @@ static int nfs4_do_find_root_sec(struct nfs_server *server,
* @server: initialized nfs_server handle
* @fhandle: we fill in the pseudo-fs root file handle
* @info: we fill in an FSINFO struct
* @auth_probe: probe the auth flavours
*
* Returns zero on success, or a negative errno.
*/
int nfs4_proc_get_rootfh(struct nfs_server *server, struct nfs_fh *fhandle,
struct nfs_fsinfo *info)
struct nfs_fsinfo *info,
bool auth_probe)
{
int status;
switch (auth_probe) {
case false:
status = nfs4_lookup_root(server, fhandle, info);
if ((status == -NFS4ERR_WRONGSEC) &&
!(server->flags & NFS_MOUNT_SECFLAVOUR))
if (status != -NFS4ERR_WRONGSEC)
break;
/* Did user force a 'sec=' mount option? */
if (server->flags & NFS_MOUNT_SECFLAVOUR)
break;
default:
status = nfs4_do_find_root_sec(server, fhandle, info);
}
if (status == 0)
status = nfs4_server_capabilities(server, fhandle);
......
......@@ -253,10 +253,6 @@ struct dentry *nfs4_try_mount(int flags, const char *dev_name,
dfprintk(MOUNT, "--> nfs4_try_mount()\n");
if (data->auth_flavor_len < 1) {
data->auth_flavors[0] = RPC_AUTH_UNIX;
data->auth_flavor_len = 1;
}
export_path = data->nfs_server.export_path;
data->nfs_server.export_path = "/";
root_mnt = nfs_do_root_mount(&nfs4_remote_fs_type, flags, mount_info,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment