76 lines
3.1 KiB
Diff
76 lines
3.1 KiB
Diff
commit 3c1bb23c0379864722e79d19f74c180edcf2c36e
|
|
Author: bc Wong <bcwong@cisco.com>
|
|
Date: Tue Mar 18 09:30:44 2008 -0400
|
|
|
|
There were 2 things wrong with auth flavour ordering:
|
|
- Mountd used to advertise AUTH_NULL as the first flavour on
|
|
the list, which means that it prefers AUTH_NULL to anything
|
|
else (as per RFC 2623 section 2.7).
|
|
- Mount.nfs used to scan the returned list in reverse order,
|
|
and stopping at the first AUTH_NULL or AUTH_SYS encountered.
|
|
If a server advertises (AUTH_SYS, AUTH_NULL), it will by
|
|
default choose AUTH_NULL and have degraded access.
|
|
|
|
I've fixed mount.nfs to scan from the beginning. For mountd,
|
|
it does not advertise AUTH_NULL anymore. This is necessary
|
|
to avoid backward compatibility issue. If AUTH_NULL appears
|
|
in the list, either the new or the old client will choose
|
|
that over AUTH_SYS.
|
|
|
|
Tested the server/client combination against the previous
|
|
versions, as well as Solaris and FreeBSD.
|
|
|
|
Signed-off-by: bc Wong <bcwong@cisco.com>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
--- nfs-utils-1.1.2/utils/mount/nfsmount.c.orig 2008-03-14 11:46:29.000000000 -0400
|
|
+++ nfs-utils-1.1.2/utils/mount/nfsmount.c 2008-03-25 10:18:09.333839000 -0400
|
|
@@ -738,7 +738,7 @@ nfsmount(const char *spec, const char *n
|
|
#if NFS_MOUNT_VERSION >= 4
|
|
mountres3_ok *mountres;
|
|
fhandle3 *fhandle;
|
|
- int i, *flavor, yum = 0;
|
|
+ int i, n_flavors, *flavor, yum = 0;
|
|
if (mntres.nfsv3.fhs_status != 0) {
|
|
nfs_error(_("%s: %s:%s failed, reason given by server: %s"),
|
|
progname, hostname, dirname,
|
|
@@ -747,13 +747,16 @@ nfsmount(const char *spec, const char *n
|
|
}
|
|
#if NFS_MOUNT_VERSION >= 5
|
|
mountres = &mntres.nfsv3.mountres3_u.mountinfo;
|
|
- i = mountres->auth_flavors.auth_flavors_len;
|
|
- if (i <= 0)
|
|
+ n_flavors = mountres->auth_flavors.auth_flavors_len;
|
|
+ if (n_flavors <= 0)
|
|
goto noauth_flavors;
|
|
|
|
flavor = mountres->auth_flavors.auth_flavors_val;
|
|
- while (--i >= 0) {
|
|
- /* If no flavour requested, use first simple
|
|
+ for (i = 0; i < n_flavors; ++i) {
|
|
+ /*
|
|
+ * Per RFC2623, section 2.7, we should prefer the
|
|
+ * flavour listed first.
|
|
+ * If no flavour requested, use the first simple
|
|
* flavour that is offered.
|
|
*/
|
|
if (! (data.flags & NFS_MOUNT_SECFLAVOUR) &&
|
|
--- nfs-utils-1.1.2/utils/mountd/mountd.c.orig 2008-03-14 11:46:29.000000000 -0400
|
|
+++ nfs-utils-1.1.2/utils/mountd/mountd.c 2008-03-25 10:18:09.339833000 -0400
|
|
@@ -342,7 +342,14 @@ mount_mnt_3_svc(struct svc_req *rqstp, d
|
|
#define AUTH_GSS_KRB5 390003
|
|
#define AUTH_GSS_KRB5I 390004
|
|
#define AUTH_GSS_KRB5P 390005
|
|
- static int flavors[] = { AUTH_NULL, AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};
|
|
+ static int flavors[] = { AUTH_UNIX, AUTH_GSS_KRB5, AUTH_GSS_KRB5I, AUTH_GSS_KRB5P};
|
|
+ /*
|
|
+ * We should advertise the preferred flavours first. (See RFC 2623
|
|
+ * section 2.7.) AUTH_UNIX is arbitrarily ranked over the GSS's.
|
|
+ * AUTH_NULL is dropped from the list to avoid backward compatibility
|
|
+ * issue with older Linux clients, who inspect the list in reversed
|
|
+ * order.
|
|
+ */
|
|
struct nfs_fh_len *fh;
|
|
|
|
xlog(D_CALL, "MNT3(%s) called", *path);
|