diff options
| author | guido <guido@FreeBSD.org> | 1997-03-27 20:01:07 +0000 |
|---|---|---|
| committer | guido <guido@FreeBSD.org> | 1997-03-27 20:01:07 +0000 |
| commit | 8db0f5f4fd48850ac02e218a0086a7032f3ea1fe (patch) | |
| tree | c5f893968b5aaa8ee18c14efb13319d13bcf80cc /sys/nfsserver | |
| parent | 223d4ca2d3051129756e410d44cbae4df53bd602 (diff) | |
| download | FreeBSD-src-8db0f5f4fd48850ac02e218a0086a7032f3ea1fe.zip FreeBSD-src-8db0f5f4fd48850ac02e218a0086a7032f3ea1fe.tar.gz | |
Add code that will reject nfs requests in teh kernel from nonprivileged
ports. This option will be automatically set/cleraed when mount is run
without/with the -n option.
Reviewed by: Doug Rabson
Diffstat (limited to 'sys/nfsserver')
| -rw-r--r-- | sys/nfsserver/nfs.h | 4 | ||||
| -rw-r--r-- | sys/nfsserver/nfs_syscalls.c | 23 | ||||
| -rw-r--r-- | sys/nfsserver/nfsrvstats.h | 4 |
3 files changed, 28 insertions, 3 deletions
diff --git a/sys/nfsserver/nfs.h b/sys/nfsserver/nfs.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsserver/nfs.h +++ b/sys/nfsserver/nfs.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c index 83cd64d..396dff8 100644 --- a/sys/nfsserver/nfs_syscalls.c +++ b/sys/nfsserver/nfs_syscalls.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95 - * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $ + * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $ */ #include <sys/param.h> @@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd, int cacherep)); static int nfssvc_addsock __P((struct file *,struct mbuf *)); static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *)); + +static int nfs_privport = 0; +SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, ""); + /* * NFS server system calls * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c @@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p) nd->nd_procnum = NFSPROC_NOOP; nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); cacherep = RC_DOIT; + } else if (nfs_privport) { + /* Check if source port is privileged */ + u_short port; + u_long addr; + struct mbuf *nam = nd->nd_nam; + struct sockaddr_in *sin; + + sin = mtod(nam, struct sockaddr_in *); + port = ntohs(sin->sin_port); + if (port >= IPPORT_RESERVED) { + nd->nd_procnum = NFSPROC_NOOP; + nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); + cacherep = RC_DOIT; + printf("NFS request from unprivileged port (%s:%d)\n", + inet_ntoa(sin->sin_addr), port); + } } + } /* diff --git a/sys/nfsserver/nfsrvstats.h b/sys/nfsserver/nfsrvstats.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsserver/nfsrvstats.h +++ b/sys/nfsserver/nfsrvstats.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* |
