From owner-dev-commits-src-all@freebsd.org Sat Jun 5 03:34:28 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9EB6363A732; Sat, 5 Jun 2021 03:34:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FxlcN2GMZz3qfm; Sat, 5 Jun 2021 03:34:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 36AC8143E; Sat, 5 Jun 2021 03:34:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1553YSwH077177; Sat, 5 Jun 2021 03:34:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1553YSVA077176; Sat, 5 Jun 2021 03:34:28 GMT (envelope-from git) Date: Sat, 5 Jun 2021 03:34:28 GMT Message-Id: <202106050334.1553YSVA077176@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: 56e9d8e38e7e - main - nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 56e9d8e38e7eed84901acddca24170eb352d2ed6 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2021 03:34:28 -0000 The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=56e9d8e38e7eed84901acddca24170eb352d2ed6 commit 56e9d8e38e7eed84901acddca24170eb352d2ed6 Author: Rick Macklem AuthorDate: 2021-06-05 03:31:20 +0000 Commit: Rick Macklem CommitDate: 2021-06-05 03:31:20 +0000 nfsd: Fix NFSv4.1/4.2 Secinfo_no_name when security flavors empty Commit 947bd2479ba9 added support for the Secinfo_no_name operation. When a non-exported file system is being traversed, the list of security flavors is empty. It turns out that the Linux client mount attempt fails when the security flavors list in the Secinfo_no_name reply is empty. This patch modifies Secinfo/Secinfo_no_name so that it replies with all four security flavors when the list is empty. This fixes Linux NFSv4.1/4.2 mounts when the file system at the NFSv4 root (as specified on a V4: exports(5) line) is not exported. MFC after: 2 weeks --- sys/fs/nfsserver/nfs_nfsdserv.c | 50 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/sys/fs/nfsserver/nfs_nfsdserv.c b/sys/fs/nfsserver/nfs_nfsdserv.c index f4d6dbe42a21..d7049ba1fed8 100644 --- a/sys/fs/nfsserver/nfs_nfsdserv.c +++ b/sys/fs/nfsserver/nfs_nfsdserv.c @@ -3709,6 +3709,31 @@ nfsrvd_secinfo(struct nfsrv_descript *nd, int isdgram, */ len = 0; NFSM_BUILD(sizp, u_int32_t *, NFSX_UNSIGNED); + + /* If nes_numsecflavor == 0, all are allowed. */ + if (retnes.nes_numsecflavor == 0) { + NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(RPCAUTH_UNIX); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY); + len = 4; + } for (i = 0; i < retnes.nes_numsecflavor; i++) { if (retnes.nes_secflavors[i] == AUTH_SYS) { NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED); @@ -3819,6 +3844,31 @@ nfsrvd_secinfononame(struct nfsrv_descript *nd, int isdgram, */ len = 0; NFSM_BUILD(sizp, uint32_t *, NFSX_UNSIGNED); + + /* If nes_numsecflavor == 0, all are allowed. */ + if (retnes.nes_numsecflavor == 0) { + NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(RPCAUTH_UNIX); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl++ = txdr_unsigned(RPCAUTHGSS_SVCNONE); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 3 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl++ = txdr_unsigned(RPCAUTHGSS_SVCINTEGRITY); + *tl = txdr_unsigned(RPCAUTH_GSS); + nfsm_strtom(nd, nfsgss_mechlist[KERBV_MECH].str, + nfsgss_mechlist[KERBV_MECH].len); + NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED); + *tl++ = txdr_unsigned(GSS_KERBV_QOP); + *tl = txdr_unsigned(RPCAUTHGSS_SVCPRIVACY); + len = 4; + } for (i = 0; i < retnes.nes_numsecflavor; i++) { if (retnes.nes_secflavors[i] == AUTH_SYS) { NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);