Date: Fri, 11 Jan 2008 11:59:04 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Alfred Perlstein <alfred@freebsd.org> Cc: cvs-src@freebsd.org, cvs-all@freebsd.org, src-committers@freebsd.org, John Baldwin <jhb@freebsd.org>, Peter Wemm <peter@wemm.org> Subject: Re: cvs commit: src/sys/nfsclient nfs_socket.c Message-ID: <20080111115353.G63715@fledge.watson.org> In-Reply-To: <20080111023628.GB99258@elvis.mu.org> References: <200801102336.m0ANa0mP035046@repoman.freebsd.org> <20080111010033.GC52842@elvis.mu.org> <e7db6d980801101741j3c0a23aeh25e83b091394e011@mail.gmail.com> <20080111023628.GB99258@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Jan 2008, Alfred Perlstein wrote: >>>> Pass curthread to various socket routines (socreate(), sobind(), and >>>> soconnect()) instead of &thread0 when establishing a connection to the NFS >>>> server. Otherwise inconsistent credentials may be used when setting up >>>> the NFS socket. >>> >>> I'm not sure, but I think this may be a regression, I seem to recall that >>> a long time ago it was switched to &thread0 because otherwise certain >>> operations can fail due to curthread not running as root. >> >> That's my recollection too. For example, when nfs is configured to bind to >> a priviliged local port for making queries or connections, it had to be >> done as root. With tcp mounts, the connection can be dropped and a >> reconnect required at any time. > > This could be implemented by a handoff to a thread that does the appropriate > setuid call beforehand, or perhaps the credential inconsistencies can be > further expained or fixed. The real bug is that sobind() and soconnect() take threads as arguments, and should either take just credentials or credentials and threads depending on whether they really want a thread as well. I started fixing this a few years ago but it requires touching a lot of stuff (like protosw) so is pretty disruptive. Basically, because they accept a thread as an argument, you can't use the cached mount-time credential to authorize these further socket operations. You don't want to used the cached socket()-time credential, another obvious choice, as you want to be able to have the root user bind()/connect() a socket and then hand it off to unprivileged processes to use without being able to rebind/connect with privilege. Possibly the above change should be modified to use curthread for UDP and thread0 for TCP, as TCP can be reconnected but may not have the bind problem John is running into, whereas UDP won't be reconnected? Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080111115353.G63715>