mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-24 20:54:10 +08:00
knfsd: nfsd: enforce per-flavor id squashing
Allow root squashing to vary per-pseudoflavor, so that you can (for example) allow root access only when sufficiently strong security is in use. Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
9091224f3c
commit
1269bc69b6
@ -12,17 +12,31 @@
|
||||
|
||||
#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
|
||||
|
||||
static int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
|
||||
{
|
||||
struct exp_flavor_info *f;
|
||||
struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors;
|
||||
|
||||
for (f = exp->ex_flavors; f < end; f++) {
|
||||
if (f->pseudoflavor == rqstp->rq_flavor)
|
||||
return f->flags;
|
||||
}
|
||||
return exp->ex_flags;
|
||||
|
||||
}
|
||||
|
||||
int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
|
||||
{
|
||||
struct svc_cred cred = rqstp->rq_cred;
|
||||
int i;
|
||||
int flags = nfsexp_flags(rqstp, exp);
|
||||
int ret;
|
||||
|
||||
if (exp->ex_flags & NFSEXP_ALLSQUASH) {
|
||||
if (flags & NFSEXP_ALLSQUASH) {
|
||||
cred.cr_uid = exp->ex_anon_uid;
|
||||
cred.cr_gid = exp->ex_anon_gid;
|
||||
cred.cr_group_info = groups_alloc(0);
|
||||
} else if (exp->ex_flags & NFSEXP_ROOTSQUASH) {
|
||||
} else if (flags & NFSEXP_ROOTSQUASH) {
|
||||
struct group_info *gi;
|
||||
if (!cred.cr_uid)
|
||||
cred.cr_uid = exp->ex_anon_uid;
|
||||
|
@ -43,7 +43,8 @@
|
||||
#define NFSEXP_ALLFLAGS 0xFE3F
|
||||
|
||||
/* The flags that may vary depending on security flavor: */
|
||||
#define NFSEXP_SECINFO_FLAGS 0
|
||||
#define NFSEXP_SECINFO_FLAGS (NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
|
||||
| NFSEXP_ALLSQUASH)
|
||||
|
||||
#ifdef __KERNEL__
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user