diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/nfs/nfs.h | 4 | ||||
| -rw-r--r-- | sys/nfs/nfs_syscalls.c | 23 | ||||
| -rw-r--r-- | sys/nfsclient/nfs.h | 4 | ||||
| -rw-r--r-- | sys/nfsclient/nfs_nfsiod.c | 23 | ||||
| -rw-r--r-- | sys/nfsclient/nfsargs.h | 4 | ||||
| -rw-r--r-- | sys/nfsclient/nfsstats.h | 4 | ||||
| -rw-r--r-- | sys/nfsserver/nfs.h | 4 | ||||
| -rw-r--r-- | sys/nfsserver/nfs_syscalls.c | 23 | ||||
| -rw-r--r-- | sys/nfsserver/nfsrvstats.h | 4 |
9 files changed, 84 insertions, 9 deletions
diff --git a/sys/nfs/nfs.h b/sys/nfs/nfs.h index 6aaa1da..dd71abe 100644 --- a/sys/nfs/nfs.h +++ b/sys/nfs/nfs.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c index 83cd64d..396dff8 100644 --- a/sys/nfs/nfs_syscalls.c +++ b/sys/nfs/nfs_syscalls.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95 - * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $ + * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $ */ #include <sys/param.h> @@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd, int cacherep)); static int nfssvc_addsock __P((struct file *,struct mbuf *)); static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *)); + +static int nfs_privport = 0; +SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, ""); + /* * NFS server system calls * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c @@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p) nd->nd_procnum = NFSPROC_NOOP; nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); cacherep = RC_DOIT; + } else if (nfs_privport) { + /* Check if source port is privileged */ + u_short port; + u_long addr; + struct mbuf *nam = nd->nd_nam; + struct sockaddr_in *sin; + + sin = mtod(nam, struct sockaddr_in *); + port = ntohs(sin->sin_port); + if (port >= IPPORT_RESERVED) { + nd->nd_procnum = NFSPROC_NOOP; + nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); + cacherep = RC_DOIT; + printf("NFS request from unprivileged port (%s:%d)\n", + inet_ntoa(sin->sin_addr), port); + } } + } /* diff --git a/sys/nfsclient/nfs.h b/sys/nfsclient/nfs.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsclient/nfs.h +++ b/sys/nfsclient/nfs.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfsclient/nfs_nfsiod.c b/sys/nfsclient/nfs_nfsiod.c index 83cd64d..396dff8 100644 --- a/sys/nfsclient/nfs_nfsiod.c +++ b/sys/nfsclient/nfs_nfsiod.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95 - * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $ + * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $ */ #include <sys/param.h> @@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd, int cacherep)); static int nfssvc_addsock __P((struct file *,struct mbuf *)); static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *)); + +static int nfs_privport = 0; +SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, ""); + /* * NFS server system calls * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c @@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p) nd->nd_procnum = NFSPROC_NOOP; nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); cacherep = RC_DOIT; + } else if (nfs_privport) { + /* Check if source port is privileged */ + u_short port; + u_long addr; + struct mbuf *nam = nd->nd_nam; + struct sockaddr_in *sin; + + sin = mtod(nam, struct sockaddr_in *); + port = ntohs(sin->sin_port); + if (port >= IPPORT_RESERVED) { + nd->nd_procnum = NFSPROC_NOOP; + nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); + cacherep = RC_DOIT; + printf("NFS request from unprivileged port (%s:%d)\n", + inet_ntoa(sin->sin_addr), port); + } } + } /* diff --git a/sys/nfsclient/nfsargs.h b/sys/nfsclient/nfsargs.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsclient/nfsargs.h +++ b/sys/nfsclient/nfsargs.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfsclient/nfsstats.h b/sys/nfsclient/nfsstats.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsclient/nfsstats.h +++ b/sys/nfsclient/nfsstats.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfsserver/nfs.h b/sys/nfsserver/nfs.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsserver/nfs.h +++ b/sys/nfsserver/nfs.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c index 83cd64d..396dff8 100644 --- a/sys/nfsserver/nfs_syscalls.c +++ b/sys/nfsserver/nfs_syscalls.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95 - * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $ + * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $ */ #include <sys/param.h> @@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd, int cacherep)); static int nfssvc_addsock __P((struct file *,struct mbuf *)); static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *)); + +static int nfs_privport = 0; +SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, ""); + /* * NFS server system calls * getfh() lives here too, but maybe should move to kern/vfs_syscalls.c @@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p) nd->nd_procnum = NFSPROC_NOOP; nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); cacherep = RC_DOIT; + } else if (nfs_privport) { + /* Check if source port is privileged */ + u_short port; + u_long addr; + struct mbuf *nam = nd->nd_nam; + struct sockaddr_in *sin; + + sin = mtod(nam, struct sockaddr_in *); + port = ntohs(sin->sin_port); + if (port >= IPPORT_RESERVED) { + nd->nd_procnum = NFSPROC_NOOP; + nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK); + cacherep = RC_DOIT; + printf("NFS request from unprivileged port (%s:%d)\n", + inet_ntoa(sin->sin_addr), port); + } } + } /* diff --git a/sys/nfsserver/nfsrvstats.h b/sys/nfsserver/nfsrvstats.h index 6aaa1da..dd71abe 100644 --- a/sys/nfsserver/nfsrvstats.h +++ b/sys/nfsserver/nfsrvstats.h @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs.h 8.4 (Berkeley) 5/1/95 - * $Id$ + * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $ */ #ifndef _NFS_NFS_H_ @@ -324,10 +324,12 @@ struct nfsstats { * fs.nfs sysctl(3) identifiers */ #define NFS_NFSSTATS 1 /* struct: struct nfsstats */ +#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */ #define FS_NFS_NAMES { \ { 0, 0 }, \ { "nfsstats", CTLTYPE_STRUCT }, \ + { "nfsprivport", CTLTYPE_INT }, \ } /* |
