FreeBSD Bugzilla – Attachment 202117 Details for
Bug 205193
jail accessing NFSv4 mount causes syslog spam
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
modify nfsuserd so that it checks what 127.0.0.1 maps to
nfsuserd-ip4.patch (text/plain), 3.58 KB, created by
Rick Macklem
on 2019-02-18 02:12:30 UTC
(
hide
)
Description:
modify nfsuserd so that it checks what 127.0.0.1 maps to
Filename:
MIME Type:
Creator:
Rick Macklem
Created:
2019-02-18 02:12:30 UTC
Size:
3.58 KB
patch
obsolete
>--- usr.sbin/nfsuserd/nfsuserd.c.sav 2019-02-12 21:35:52.153401000 -0500 >+++ usr.sbin/nfsuserd/nfsuserd.c 2019-02-17 21:48:44.804443000 -0500 >@@ -40,6 +40,10 @@ __FBSDID("$FreeBSD: head/usr.sbin/nfsuse > #include <sys/vnode.h> > #include <sys/wait.h> > >+#include <netinet/in.h> >+ >+#include <arpa/inet.h> >+ > #include <nfs/nfssvc.h> > > #include <rpc/rpc.h> >@@ -72,6 +76,7 @@ static void nfsuserdsrv(struct svc_req * > static bool_t xdr_getid(XDR *, caddr_t); > static bool_t xdr_getname(XDR *, caddr_t); > static bool_t xdr_retval(XDR *, caddr_t); >+static int nfsbind_localhost(void); > > #define MAXNAME 1024 > #define MAXNFSUSERD 20 >@@ -94,6 +99,7 @@ gid_t defaultgid = 65533; > int verbose = 0, im_a_slave = 0, nfsuserdcnt = -1, forcestart = 0; > int defusertimeout = DEFUSERTIMEOUT, manage_gids = 0; > pid_t slaves[MAXNFSUSERD]; >+static struct sockaddr_in fromip; > > int > main(int argc, char *argv[]) >@@ -144,6 +150,9 @@ main(int argc, char *argv[]) > } > } > } >+ >+ fromip.sin_addr.s_addr = inet_addr("127.0.0.1"); >+ > nid.nid_usermax = DEFUSERMAX; > nid.nid_usertimeout = defusertimeout; > >@@ -460,24 +469,43 @@ nfsuserdsrv(struct svc_req *rqstp, SVCXP > u_short sport; > struct info info; > struct nfsd_idargs nid; >- u_int32_t saddr; > gid_t grps[NGROUPS]; > int ngroup; >+ struct sockaddr_in *sin; >+ int ret; > > /* >- * Only handle requests from 127.0.0.1 on a reserved port number. >+ * Only handle requests from localhost on a reserved port number. >+ * If the upcall is from a different address, call nfsbind_localhost() >+ * to check for a remapping of localhost, due to jails. > * (Since a reserved port # at localhost implies a client with > * local root, there won't be a security breach. This is about > * the only case I can think of where a reserved port # means > * something.) > */ >- sport = ntohs(transp->xp_raddr.sin_port); >- saddr = ntohl(transp->xp_raddr.sin_addr.s_addr); >- if ((rqstp->rq_proc != NULLPROC && sport >= IPPORT_RESERVED) || >- saddr != 0x7f000001) { >- syslog(LOG_ERR, "req from ip=0x%x port=%d\n", saddr, sport); >- svcerr_weakauth(transp); >- return; >+ if (rqstp->rq_proc != NULLPROC) { >+ if (transp->xp_rtaddr.len < sizeof(*sin)) { >+ syslog(LOG_ERR, "xp_rtaddr too small"); >+ svcerr_weakauth(transp); >+ return; >+ } >+ sin = (struct sockaddr_in *)transp->xp_rtaddr.buf; >+ sport = ntohs(sin->sin_port); >+ if (sport >= IPPORT_RESERVED) { >+ syslog(LOG_ERR, "not a reserved port#"); >+ svcerr_weakauth(transp); >+ return; >+ } >+ ret = 1; >+ if (sin->sin_addr.s_addr != fromip.sin_addr.s_addr) >+ ret = nfsbind_localhost(); >+ if (ret == 0 || sin->sin_addr.s_addr != >+ fromip.sin_addr.s_addr) { >+ syslog(LOG_ERR, "bad from ip %s", >+ inet_ntoa(sin->sin_addr)); >+ svcerr_weakauth(transp); >+ return; >+ } > } > switch (rqstp->rq_proc) { > case NULLPROC: >@@ -718,6 +746,39 @@ cleanup_term(int signo __unused) > exit(0); > } > >+/* >+ * Get the IP address that the localhost address maps to. >+ * This is needed when jails map localhost to another IP address. >+ */ >+static int >+nfsbind_localhost(void) >+{ >+ struct sockaddr_in sad; >+ socklen_t slen; >+ int ret, s; >+ >+ s = socket(PF_INET, SOCK_DGRAM, 0); >+ if (s < 0) >+ return (0); >+ memset(&sad, 0, sizeof(sad)); >+ sad.sin_len = sizeof(sad); >+ sad.sin_family = AF_INET; >+ sad.sin_addr.s_addr = inet_addr("127.0.0.1"); >+ sad.sin_port = 0; >+ ret = bind(s, (struct sockaddr *)&sad, sizeof(sad)); >+ if (ret < 0) { >+ close(s); >+ return (0); >+ } >+ memset(&fromip, 0, sizeof(fromip)); >+ slen = sizeof(fromip); >+ ret = getsockname(s, (struct sockaddr *)&fromip, &slen); >+ close(s); >+ if (ret < 0) >+ return (0); >+ return (1); >+} >+ > static void > usage(void) > {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=202117">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 205193
:
164098
|
164099
|
164134
|
183835
| 202117