diff options
-rw-r--r-- | sys/nfsclient/nfs_lock.c | 16 | ||||
-rw-r--r-- | sys/nfsserver/nfs_syscalls.c | 2 | ||||
-rw-r--r-- | sys/sys/priv.h | 7 |
3 files changed, 12 insertions, 13 deletions
diff --git a/sys/nfsclient/nfs_lock.c b/sys/nfsclient/nfs_lock.c index 18bf1b2..be334c7 100644 --- a/sys/nfsclient/nfs_lock.c +++ b/sys/nfsclient/nfs_lock.c @@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mbuf.h> #include <sys/mount.h> #include <sys/namei.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/resourcevar.h> #include <sys/socket.h> @@ -85,6 +86,10 @@ nfslock_open(struct cdev *dev, int oflags, int devtype, struct thread *td) { int error; + error = priv_check(td, PRIV_NFS_LOCKD); + if (error) + return (error); + mtx_lock(&nfslock_mtx); if (!nfslock_isopen) { error = 0; @@ -339,17 +344,6 @@ static int nfslockdans(struct thread *td, struct lockd_ans *ansp) { struct proc *targetp; - int error; - - /* Let root, or someone who once was root (lockd generally - * switches to the daemon uid once it is done setting up) make - * this call. - * - * XXX This authorization check is probably not right. - */ - if ((error = suser(td)) != 0 && - td->td_ucred->cr_svuid != 0) - return (error); /* the version should match, or we're out of sync */ if (ansp->la_vers != LOCKD_ANS_VERSION) diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c index f81900b..ab247ea 100644 --- a/sys/nfsserver/nfs_syscalls.c +++ b/sys/nfsserver/nfs_syscalls.c @@ -139,7 +139,7 @@ nfssvc(struct thread *td, struct nfssvc_args *uap) if (error) return (error); #endif - error = priv_check(td, PRIV_NFSD); + error = priv_check(td, PRIV_NFS_DAEMON); if (error) return (error); NET_LOCK_GIANT(); diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 87181ca..2b215c8 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -72,7 +72,6 @@ #define PRIV_MAXPROC 4 /* Exceed system processes limit. */ #define PRIV_KTRACE 5 /* Set/clear KTRFAC_ROOT on ktrace. */ #define PRIV_SETDUMPER 6 /* Configure dump device. */ -#define PRIV_NFSD 7 /* Can become NFS daemon. */ #define PRIV_REBOOT 8 /* Can reboot system. */ #define PRIV_SWAPON 9 /* Can swapon(). */ #define PRIV_SWAPOFF 10 /* Can swapoff(). */ @@ -236,6 +235,12 @@ to/from jails. */ /* + * NFS-specific privileges. + */ +#define PRIV_NFS_DAEMON 290 /* Can become the NFS daemon. */ +#define PRIV_NFS_LOCKD 291 /* Can become NFS lock daemon. */ + +/* * VFS privileges. */ #define PRIV_VFS_READ 310 /* Override vnode DAC read perm. */ |