summaryrefslogtreecommitdiffstats
path: root/sys/nfsclient
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2007-04-21 18:11:19 +0000
committerrwatson <rwatson@FreeBSD.org>2007-04-21 18:11:19 +0000
commit32f12b60cc993453e0419d55699f883edd7feeb5 (patch)
treec01699d851b69d7ae36f215085155bda57bc12f7 /sys/nfsclient
parentcca3de2c55be08432928aafb01996eb30f5ebcf0 (diff)
downloadFreeBSD-src-32f12b60cc993453e0419d55699f883edd7feeb5.zip
FreeBSD-src-32f12b60cc993453e0419d55699f883edd7feeb5.tar.gz
Attempt to rationalize NFS privileges:
- Replace PRIV_NFSD with PRIV_NFS_DAEMON, add PRIV_NFS_LOCKD. - Use PRIV_NFS_DAEMON in the NFS server. - In the NFS client, move the privilege check from nfslockdans(), which occurs every time a write is performed on /dev/nfslock, and instead do it in nfslock_open() just once. This allows us to avoid checking the saved uid for root, and just use the effective on open. Use PRIV_NFS_LOCKD.
Diffstat (limited to 'sys/nfsclient')
-rw-r--r--sys/nfsclient/nfs_lock.c16
1 files changed, 5 insertions, 11 deletions
diff --git a/sys/nfsclient/nfs_lock.c b/sys/nfsclient/nfs_lock.c
index 18bf1b2..be334c7 100644
--- a/sys/nfsclient/nfs_lock.c
+++ b/sys/nfsclient/nfs_lock.c
@@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mbuf.h>
#include <sys/mount.h>
#include <sys/namei.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/resourcevar.h>
#include <sys/socket.h>
@@ -85,6 +86,10 @@ nfslock_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
{
int error;
+ error = priv_check(td, PRIV_NFS_LOCKD);
+ if (error)
+ return (error);
+
mtx_lock(&nfslock_mtx);
if (!nfslock_isopen) {
error = 0;
@@ -339,17 +344,6 @@ static int
nfslockdans(struct thread *td, struct lockd_ans *ansp)
{
struct proc *targetp;
- int error;
-
- /* Let root, or someone who once was root (lockd generally
- * switches to the daemon uid once it is done setting up) make
- * this call.
- *
- * XXX This authorization check is probably not right.
- */
- if ((error = suser(td)) != 0 &&
- td->td_ucred->cr_svuid != 0)
- return (error);
/* the version should match, or we're out of sync */
if (ansp->la_vers != LOCKD_ANS_VERSION)
OpenPOWER on IntegriCloud