Attempt to rationalize NFS privileges:

- Replace PRIV_NFSD with PRIV_NFS_DAEMON, add PRIV_NFS_LOCKD.

- Use PRIV_NFS_DAEMON in the NFS server.

- In the NFS client, move the privilege check from nfslockdans(), which
  occurs every time a write is performed on /dev/nfslock, and instead do it
  in nfslock_open() just once.  This allows us to avoid checking the saved
  uid for root, and just use the effective on open.  Use PRIV_NFS_LOCKD.

3 files changed, 12 insertions, 13 deletions

diff --git a/sys/nfsclient/nfs_lock.c b/sys/nfsclient/nfs_lock.c
index 18bf1b2..be334c7 100644
--- a/sys/nfsclient/nfs_lock.c
+++ b/sys/nfsclient/nfs_lock.c
@@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/mbuf.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/resourcevar.h>
 #include <sys/socket.h>
@@ -85,6 +86,10 @@ nfslock_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
 {
 	int error;
 
+	error = priv_check(td, PRIV_NFS_LOCKD);
+	if (error)
+		return (error);
+
 	mtx_lock(&nfslock_mtx);
 	if (!nfslock_isopen) {
 		error = 0;
@@ -339,17 +344,6 @@ static int
 nfslockdans(struct thread *td, struct lockd_ans *ansp)
 {
 	struct proc *targetp;
-	int error;
-
-	/* Let root, or someone who once was root (lockd generally
-	 * switches to the daemon uid once it is done setting up) make
-	 * this call.
-	 *
-	 * XXX This authorization check is probably not right.
-	 */
-	if ((error = suser(td)) != 0 &&
-	    td->td_ucred->cr_svuid != 0)
-		return (error);
 
 	/* the version should match, or we're out of sync */
 	if (ansp->la_vers != LOCKD_ANS_VERSION)
diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c
index f81900b..ab247ea 100644
--- a/sys/nfsserver/nfs_syscalls.c
+++ b/sys/nfsserver/nfs_syscalls.c
@@ -139,7 +139,7 @@ nfssvc(struct thread *td, struct nfssvc_args *uap)
 	if (error)
 		return (error);
 #endif
-	error = priv_check(td, PRIV_NFSD);
+	error = priv_check(td, PRIV_NFS_DAEMON);
 	if (error)
 		return (error);
 	NET_LOCK_GIANT();
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 87181ca..2b215c8 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -72,7 +72,6 @@
 #define	PRIV_MAXPROC		4	/* Exceed system processes limit. */
 #define	PRIV_KTRACE		5	/* Set/clear KTRFAC_ROOT on ktrace. */
 #define	PRIV_SETDUMPER		6	/* Configure dump device. */
-#define	PRIV_NFSD		7	/* Can become NFS daemon. */
 #define	PRIV_REBOOT		8	/* Can reboot system. */
 #define	PRIV_SWAPON		9	/* Can swapon(). */
 #define	PRIV_SWAPOFF		10	/* Can swapoff(). */
@@ -236,6 +235,12 @@
 					   to/from jails. */
 
 /*
+ * NFS-specific privileges.
+ */
+#define	PRIV_NFS_DAEMON		290	/* Can become the NFS daemon. */
+#define	PRIV_NFS_LOCKD		291	/* Can become NFS lock daemon. */
+
+/*
  * VFS privileges.
  */
 #define	PRIV_VFS_READ		310	/* Override vnode DAC read perm. */