FreeBSD Bugzilla – Attachment 164098 Details for
Bug 205193
jail accessing NFSv4 mount causes syslog spam
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
make nfsuserd use an AF_LOCAL socket
nfsuserd-aflocal.patch (text/plain), 4.57 KB, created by
Rick Macklem
on 2015-12-11 02:34:38 UTC
(
hide
)
Description:
make nfsuserd use an AF_LOCAL socket
Filename:
MIME Type:
Creator:
Rick Macklem
Created:
2015-12-11 02:34:38 UTC
Size:
4.57 KB
patch
obsolete
>--- usr.sbin/nfsuserd/nfsuserd.c.sav 2015-12-09 18:46:29.284972000 -0500 >+++ usr.sbin/nfsuserd/nfsuserd.c 2015-12-10 21:35:17.505343000 -0500 >@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse > #include <sys/mount.h> > #include <sys/socket.h> > #include <sys/socketvar.h> >+#include <sys/stat.h> > #include <sys/time.h> > #include <sys/ucred.h> > #include <sys/vnode.h> >@@ -43,6 +44,7 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse > #include <nfs/nfssvc.h> > > #include <rpc/rpc.h> >+#include <rpc/rpc_com.h> > > #include <fs/nfs/rpcv2.h> > #include <fs/nfs/nfsproto.h> >@@ -73,6 +75,9 @@ static bool_t xdr_getid(XDR *, caddr_t); > static bool_t xdr_getname(XDR *, caddr_t); > static bool_t xdr_retval(XDR *, caddr_t); > >+#ifndef _PATH_NFSUSERDSOCK >+#define _PATH_NFSUSERDSOCK "/var/run/nfsuserd.sock" >+#endif > #define MAXNAME 1024 > #define MAXNFSUSERD 20 > #define DEFNFSUSERD 4 >@@ -103,15 +108,15 @@ main(int argc, char *argv[]) > struct nfsd_idargs nid; > struct passwd *pwd; > struct group *grp; >- int sock, one = 1; >- SVCXPRT *udptransp; >- u_short portnum; >+ int oldmask, sock; >+ SVCXPRT *xprt; > sigset_t signew; > char hostname[MAXHOSTNAMELEN + 1], *cp; > struct addrinfo *aip, hints; > static uid_t check_dups[MAXUSERMAX]; > gid_t grps[NGROUPS]; > int ngroup; >+ struct sockaddr_un sun; > > if (modfind("nfscommon") < 0) { > /* Not present in kernel, try loading it */ >@@ -245,46 +250,42 @@ main(int argc, char *argv[]) > for (i = 0; i < nfsuserdcnt; i++) > slaves[i] = (pid_t)-1; > >- /* >- * Set up the service port to accept requests via UDP from >- * localhost (127.0.0.1). >- */ >- if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) >- err(1, "cannot create udp socket"); >- >- /* >- * Not sure what this does, so I'll leave it here for now. >- */ >- setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); >- >- if ((udptransp = svcudp_create(sock)) == NULL) >- err(1, "Can't set up socket"); >- >- /* >- * By not specifying a protocol, it is linked into the >- * dispatch queue, but not registered with portmapper, >- * which is just what I want. >- */ >- if (!svc_register(udptransp, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS, >- nfsuserdsrv, 0)) >- err(1, "Can't register nfsuserd"); >+ memset(&sun, 0, sizeof sun); >+ sun.sun_family = AF_LOCAL; >+ unlink(_PATH_NFSUSERDSOCK); >+ strcpy(sun.sun_path, _PATH_NFSUSERDSOCK); >+ sun.sun_len = SUN_LEN(&sun); >+ sock = socket(AF_LOCAL, SOCK_STREAM, 0); >+ if (sock < 0) >+ err(1, "Can't create local nfsuserd socket"); >+ oldmask = umask(S_IXUSR | S_IRWXG | S_IRWXO); >+ if (bind(sock, (struct sockaddr *)&sun, sun.sun_len) < 0) >+ err(1, "Can't bind local nfsuserd socket"); >+ umask(oldmask); >+ if (listen(sock, SOMAXCONN) < 0) >+ err(1, "Can't listen on local nfsuserd socket"); >+ xprt = svc_vc_create(sock, RPC_MAXDATASIZE, RPC_MAXDATASIZE); >+ if (xprt == NULL) >+ err(1, "Can't create transport for local nfsuserd socket"); >+ if (!svc_reg(xprt, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS, nfsuserdsrv, >+ NULL)) >+ err(1, "Can't register service for local nfsuserd socket"); > > /* >- * Tell the kernel what my port# is. >+ * Tell the kernel what the socket's path is. > */ >- portnum = htons(udptransp->xp_port); > #ifdef DEBUG >- printf("portnum=0x%x\n", portnum); >+ printf("sockpath=%s\n", _PATH_NFSUSERDSOCK); > #else >- if (nfssvc(NFSSVC_NFSUSERDPORT, (caddr_t)&portnum) < 0) { >+ if (nfssvc(NFSSVC_NFSUSERDPORT | NFSSVC_NEWSTRUCT, _PATH_NFSUSERDSOCK) >+ < 0) { > if (errno == EPERM) { > fprintf(stderr, > "Can't start nfsuserd when already running"); > fprintf(stderr, > " If not running, use the -force option.\n"); >- } else { >- fprintf(stderr, "Can't do nfssvc() to add port\n"); >- } >+ } else >+ fprintf(stderr, "Can't do nfssvc() to add socket\n"); > exit(1); > } > #endif >@@ -455,28 +456,11 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXP > struct passwd *pwd; > struct group *grp; > int error; >- u_short sport; > struct info info; > struct nfsd_idargs nid; >- u_int32_t saddr; > gid_t grps[NGROUPS]; > int ngroup; > >- /* >- * Only handle requests from 127.0.0.1 on a reserved port number. >- * (Since a reserved port # at localhost implies a client with >- * local root, there won't be a security breach. This is about >- * the only case I can think of where a reserved port # means >- * something.) >- */ >- sport = ntohs(transp->xp_raddr.sin_port); >- saddr = ntohl(transp->xp_raddr.sin_addr.s_addr); >- if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) || >- saddr != 0x7f000001) { >- syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport); >- svcerr_weakauth(transp); >- return; >- } > switch (rqstp->rq_proc) { > case NULLPROC: > if (!svc_sendreply(transp, (xdrproc_t)xdr_void, NULL))
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=164098">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 205193
:
164098
|
164099
|
164134
|
183835
|
202117