Re: NFS expert, please diagnose this

To: joost@rulcmc.leidenuniv.nl (joost witteveen)
Cc: debian-user@lists.debian.org
Subject: Re: NFS expert, please diagnose this
From: Martin Str|mberg <ams@ludd.luth.se>
Date: Fri, 3 Oct 1997 00:50:46 +0200 (MET DST)
Message-id: <[🔎] 199710022250.XAA00935@zed.ludd.luth.se>
In-reply-to: <m0xG93j-000CLKC@rulcmc.leidenuniv.nl> from joost witteveen at "Sep 30, 97 10:38:19 pm"

Hello.


I think I see the problem with regard to setuid programs and nfs.
It's in the kernel.

It's in the file kernel-source-2.0.27/fs/nfs/proc.c.
Alas the same code is repeated in several places, so I'm not sure how to
fix it: there must be a reason for exact this coding.

Does anybody here know what to do? Or know whom I might contact to get a
second opinion?


Thanks,

							MartinS


Here follows a snippet from the above mentioned file and an possible scenario
(the one that makes at fail if /var/spool/cron/atjobs is on a nfs mounted
partition) to illustrate the problem:
---- Start of proc.c snippet. ----
[...]
int nfs_proc_lookup(struct nfs_server *server, struct nfs_fh *dir, const char *n
ame,
                    struct nfs_fh *fhandle, struct nfs_fattr *fattr)
{
        int *p, *p0;
        int status;
        int ruid = 0;

        PRINTK("NFS call  lookup %s\n", name);
#ifdef NFS_PROC_DEBUG
        if (!strcmp(name, "xyzzy"))
                proc_debug = 1 - proc_debug;
#endif
        if (!(p0 = nfs_rpc_alloc(server->rsize)))
                return -EIO;
retry:
        p = nfs_rpc_header(p0, NFSPROC_LOOKUP, ruid);
        p = xdr_encode_fhandle(p, dir);
        p = xdr_encode_string(p, name);
        if ((status = nfs_rpc_call(server, p0, p, server->rsize)) < 0) {
                nfs_rpc_free(p0);
                return status;
        }
        if (!(p = nfs_rpc_verify(p0)))
                status = -errno_NFSERR_IO;
        else if ((status = ntohl(*p++)) == NFS_OK) {
                p = xdr_decode_fhandle(p, fhandle);
                p = xdr_decode_fattr(p, fattr);
                PRINTK("NFS reply lookup\n");
                /* status = 0; */
        }
        else {
                if (!ruid && current->fsuid == 0 && current->uid != 0) {
                        ruid = 1;
                        goto retry;
                }
                PRINTK("NFS reply lookup failed = %d\n", status);
                status = -nfs_stat_to_errno(status);
        }
        nfs_rpc_free(p0);
        return status;
}

[...]

static int *nfs_rpc_header(int *p, int procedure, int ruid)
{
        return rpc_header(p, procedure, NFS_PROGRAM, NFS_VERSION,
                        (ruid ? current->uid : current->fsuid),
                        current->egid, current->groups);
}

[...]
---- End of proc.c snippet. ----

Now first ruid is initialised to 0. First time around we fail looking up the
file and status (what is supposed to be propagated to errno) is set to 2
(ENOENT), so the statements "ruid = 1;" and "goto retry;" is executed.

Second time around the lookup will be performed as current->uid, which
obviously fail (as the directory is only writeable for root), hence
status (and after that errno) is set to 13 (EACCES).

Comments?


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Prev by Date: Re: mke2fs
Next by Date: AutoPPP/mgetty questions
Previous by thread: Re: screenshot in xfree86
Next by thread: AutoPPP/mgetty questions
Index(es):
- Date
- Thread