mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-02 08:42:48 +00:00
Add code that will reject nfs requests in teh kernel from nonprivileged
ports. This option will be automatically set/cleraed when mount is run without/with the -n option. Reviewed by: Doug Rabson
This commit is contained in:
Guido van Rooij
parent
f55f3f4693
commit
394da4c167
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=24330
@ -43,7 +43,7 @@ static char copyright[] =
|
||||
#ifndef lint
|
||||
/*static char sccsid[] = "@(#)mountd.c 8.15 (Berkeley) 5/1/95"; */
|
||||
static const char rcsid[] =
|
||||
"$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
|
||||
"$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
|
||||
#endif /*not lint*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -54,6 +54,7 @@ static const char rcsid[] =
|
||||
#include <sys/stat.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/ucred.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <rpc/rpc.h>
|
||||
#include <rpc/pmap_clnt.h>
|
||||
@ -63,6 +64,7 @@ static const char rcsid[] =
|
||||
#endif
|
||||
#include <nfs/rpcv2.h>
|
||||
#include <nfs/nfsproto.h>
|
||||
#include <nfs/nfs.h>
|
||||
#include <ufs/ufs/ufsmount.h>
|
||||
#include <msdosfs/msdosfsmount.h>
|
||||
#include <isofs/cd9660/cd9660_mount.h> /* XXX need isofs in include */
|
||||
@ -255,6 +257,7 @@ main(argc, argv)
|
||||
#ifdef __FreeBSD__
|
||||
struct vfsconf vfc;
|
||||
int error;
|
||||
int mib[3];
|
||||
|
||||
error = getvfsbyname("nfs", &vfc);
|
||||
if (error && vfsisloadable("nfs")) {
|
||||
@ -314,6 +317,16 @@ main(argc, argv)
|
||||
fclose(pidfile);
|
||||
}
|
||||
}
|
||||
|
||||
mib[0] = CTL_VFS;
|
||||
mib[1] = MOUNT_NFS;
|
||||
mib[2] = NFS_NFSPRIVPORT;
|
||||
if (sysctl(mib, 3, NULL, NULL,
|
||||
&resvport_only, sizeof(resvport_only)) != 0) {
|
||||
syslog(LOG_ERR, "sysctl: %m");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
|
||||
(tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
|
||||
syslog(LOG_ERR, "Can't create socket");
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
|
||||
* $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
|
||||
* $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
|
||||
int cacherep));
|
||||
static int nfssvc_addsock __P((struct file *,struct mbuf *));
|
||||
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
|
||||
|
||||
static int nfs_privport = 0;
|
||||
SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
|
||||
|
||||
/*
|
||||
* NFS server system calls
|
||||
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
|
||||
@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
} else if (nfs_privport) {
|
||||
/* Check if source port is privileged */
|
||||
u_short port;
|
||||
u_long addr;
|
||||
struct mbuf *nam = nd->nd_nam;
|
||||
struct sockaddr_in *sin;
|
||||
|
||||
sin = mtod(nam, struct sockaddr_in *);
|
||||
port = ntohs(sin->sin_port);
|
||||
if (port >= IPPORT_RESERVED) {
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
printf("NFS request from unprivileged port (%s:%d)\n",
|
||||
inet_ntoa(sin->sin_addr), port);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
|
||||
* $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
|
||||
* $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
|
||||
int cacherep));
|
||||
static int nfssvc_addsock __P((struct file *,struct mbuf *));
|
||||
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
|
||||
|
||||
static int nfs_privport = 0;
|
||||
SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
|
||||
|
||||
/*
|
||||
* NFS server system calls
|
||||
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
|
||||
@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
} else if (nfs_privport) {
|
||||
/* Check if source port is privileged */
|
||||
u_short port;
|
||||
u_long addr;
|
||||
struct mbuf *nam = nd->nd_nam;
|
||||
struct sockaddr_in *sin;
|
||||
|
||||
sin = mtod(nam, struct sockaddr_in *);
|
||||
port = ntohs(sin->sin_port);
|
||||
if (port >= IPPORT_RESERVED) {
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
printf("NFS request from unprivileged port (%s:%d)\n",
|
||||
inet_ntoa(sin->sin_addr), port);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
|
||||
* $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
|
||||
* $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
|
||||
int cacherep));
|
||||
static int nfssvc_addsock __P((struct file *,struct mbuf *));
|
||||
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
|
||||
|
||||
static int nfs_privport = 0;
|
||||
SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
|
||||
|
||||
/*
|
||||
* NFS server system calls
|
||||
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
|
||||
@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
} else if (nfs_privport) {
|
||||
/* Check if source port is privileged */
|
||||
u_short port;
|
||||
u_long addr;
|
||||
struct mbuf *nam = nd->nd_nam;
|
||||
struct sockaddr_in *sin;
|
||||
|
||||
sin = mtod(nam, struct sockaddr_in *);
|
||||
port = ntohs(sin->sin_port);
|
||||
if (port >= IPPORT_RESERVED) {
|
||||
nd->nd_procnum = NFSPROC_NOOP;
|
||||
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
|
||||
cacherep = RC_DOIT;
|
||||
printf("NFS request from unprivileged port (%s:%d)\n",
|
||||
inet_ntoa(sin->sin_addr), port);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
|
||||
* $Id$
|
||||
* $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
|
||||
*/
|
||||
|
||||
#ifndef _NFS_NFS_H_
|
||||
@ -324,10 +324,12 @@ struct nfsstats {
|
||||
* fs.nfs sysctl(3) identifiers
|
||||
*/
|
||||
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
|
||||
#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
|
||||
|
||||
#define FS_NFS_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
{ "nfsstats", CTLTYPE_STRUCT }, \
|
||||
{ "nfsprivport", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -43,7 +43,7 @@ static char copyright[] =
|
||||
#ifndef lint
|
||||
/*static char sccsid[] = "@(#)mountd.c 8.15 (Berkeley) 5/1/95"; */
|
||||
static const char rcsid[] =
|
||||
"$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
|
||||
"$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
|
||||
#endif /*not lint*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -54,6 +54,7 @@ static const char rcsid[] =
|
||||
#include <sys/stat.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/ucred.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <rpc/rpc.h>
|
||||
#include <rpc/pmap_clnt.h>
|
||||
@ -63,6 +64,7 @@ static const char rcsid[] =
|
||||
#endif
|
||||
#include <nfs/rpcv2.h>
|
||||
#include <nfs/nfsproto.h>
|
||||
#include <nfs/nfs.h>
|
||||
#include <ufs/ufs/ufsmount.h>
|
||||
#include <msdosfs/msdosfsmount.h>
|
||||
#include <isofs/cd9660/cd9660_mount.h> /* XXX need isofs in include */
|
||||
@ -255,6 +257,7 @@ main(argc, argv)
|
||||
#ifdef __FreeBSD__
|
||||
struct vfsconf vfc;
|
||||
int error;
|
||||
int mib[3];
|
||||
|
||||
error = getvfsbyname("nfs", &vfc);
|
||||
if (error && vfsisloadable("nfs")) {
|
||||
@ -314,6 +317,16 @@ main(argc, argv)
|
||||
fclose(pidfile);
|
||||
}
|
||||
}
|
||||
|
||||
mib[0] = CTL_VFS;
|
||||
mib[1] = MOUNT_NFS;
|
||||
mib[2] = NFS_NFSPRIVPORT;
|
||||
if (sysctl(mib, 3, NULL, NULL,
|
||||
&resvport_only, sizeof(resvport_only)) != 0) {
|
||||
syslog(LOG_ERR, "sysctl: %m");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
|
||||
(tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
|
||||
syslog(LOG_ERR, "Can't create socket");
|
||||
|
||||
Loading…
Reference in New Issue
Block a user