+2004-01-20 Ion Badulescu <ionut@moisil.badula.org>
+
+ * amd/conf.c (gopt_nfs_allow_insecure_port): support function for
+ the new "nfs_allow_insecure_port" amd.conf directive
+
+ * amd/nfs_prot_svc.c (nfs_program_2): complain about the insecure
+ port and drop the request only if the "nfs_allow_insecure_port"
+ option is not set in amd.conf
+
+ * doc/am-utils.texi (Global Parameters): documented the new
+ amd.conf directive "nfs_allow_insecure_port"
+
+ * scripts/amd.conf.5 (nfs_allow_insecure_port): ditto
+
+ * scripts/amd.conf-sample (nfs_allow_insecure_port): added the
+ "nfs_allow_insecure_port" directive
+
2004-01-20 Erez Zadok <ezk@cs.sunysb.edu>
* doc/am-utils.texi: amd-workers is defunct.
*
* %W% (Berkeley) %G%
*
- * $Id: amd.h,v 1.8.2.7 2004/01/06 03:15:16 ezk Exp $
+ * $Id: amd.h,v 1.8.2.8 2004/01/21 04:04:58 ib42 Exp $
*
*/
#define CFM_FULLY_QUALIFIED_HOSTS 0x0100
#define CFM_BROWSABLE_DIRS_FULL 0x0200 /* allow '/' in readdir() */
#define CFM_UNMOUNT_ON_EXIT 0x0400 /* when amd finishing */
+#define CFM_NFS_INSECURE_PORT 0x0800
/* some systems (SunOS 4.x) neglect to define the mount null message */
#ifndef MOUNTPROC_NULL
*
* %W% (Berkeley) %G%
*
- * $Id: conf.c,v 1.7.2.7 2004/01/06 03:15:16 ezk Exp $
+ * $Id: conf.c,v 1.7.2.8 2004/01/21 04:04:58 ib42 Exp $
*
*/
static int gopt_mount_type(const char *val);
static int gopt_pid_file(const char *val);
static int gopt_portmap_program(const char *val);
+static int gopt_nfs_allow_insecure_port(const char *val);
static int gopt_nfs_proto(const char *val);
static int gopt_nfs_retransmit_counter(const char *val);
static int gopt_nfs_retry_interval(const char *val);
{"mount_type", gopt_mount_type},
{"pid_file", gopt_pid_file},
{"portmap_program", gopt_portmap_program},
+ {"nfs_allow_insecure_port", gopt_nfs_allow_insecure_port},
{"nfs_proto", gopt_nfs_proto},
{"nfs_retransmit_counter", gopt_nfs_retransmit_counter},
{"nfs_retry_interval", gopt_nfs_retry_interval},
}
+static int
+gopt_nfs_allow_insecure_port(const char *val)
+{
+ if (STREQ(val, "yes")) {
+ gopt.flags |= CFM_NFS_INSECURE_PORT;
+ return 0;
+ } else if (STREQ(val, "no")) {
+ gopt.flags &= ~CFM_NFS_INSECURE_PORT;
+ return 0;
+ }
+
+ fprintf(stderr, "conf: unknown value to nfs_allow_insecure_port \"%s\"\n", val);
+ return 1; /* unknown value */
+}
+
+
static int
gopt_nfs_proto(const char *val)
{
*
* %W% (Berkeley) %G%
*
- * $Id: nfs_prot_svc.c,v 1.5.2.5 2004/01/06 03:15:16 ezk Exp $
+ * $Id: nfs_prot_svc.c,v 1.5.2.6 2004/01/21 04:04:58 ib42 Exp $
*
*/
sinp = amu_svc_getcaller(rqstp->rq_xprt);
#ifdef MNT2_NFS_OPT_RESVPORT
/* Verify that the request comes from a reserved port */
- if (ntohs(sinp->sin_port) >= IPPORT_RESERVED) {
+ if (ntohs(sinp->sin_port) >= IPPORT_RESERVED) &&
+ !(gopt.flags & CFM_NFS_INSECURE_PORT)) {
plog(XLOG_WARNING, "ignoring request from %s:%u, port not reserved",
inet_dquad(dq, sinp->sin_addr.s_addr),
ntohs(sinp->sin_port));
@c
@c %W% (Berkeley) %G%
@c
-@c $Id: am-utils.texi,v 1.21.2.31 2004/01/20 19:04:09 ezk Exp $
+@c $Id: am-utils.texi,v 1.21.2.32 2004/01/21 04:04:58 ib42 Exp $
@c
@setfilename am-utils.info
* local_domain Parameter::
* log_file Parameter::
* log_options Parameter::
+* nfs_allow_insecure_port Parameter::
* nfs_proto Parameter::
* nfs_retransmit_counter Parameter::
* nfs_retry_interval Parameter::
@samp{kern}, @samp{lpr}, @samp{cron}, etc.
@c ----------------------------------------------------------------
-@node log_options Parameter, nfs_proto Parameter, log_file Parameter, Global Parameters
+@node log_options Parameter, nfs_allow_insecure_port Parameter, log_file Parameter, Global Parameters
@comment node-name, next, previous, up
@subsection @t{log_options} Parameter
@cindex log_options Parameter
@end table
@c ----------------------------------------------------------------
-@node nfs_proto Parameter, nfs_retransmit_counter Parameter, log_options Parameter, Global Parameters
+@node nfs_allow_insecure_port Parameter, nfs_proto Parameter, log_options Parameter, Global Parameters
+@comment node-name, next, previous, up
+@subsection @t{nfs_allow_insecure_port} Parameter
+@cindex nfs_allow_insecure_port Parameter
+
+(type=string, default=@samp{no}). Normally amd will refuse requests
+coming from unprivileged ports (i.e. ports >= 1024 on Unix systems),
+so that only privileged users and the kernel can send NFS requests to
+it. However, some kernels (certain versions of Darwin, MacOS X, and
+Linux) have bugs that cause them to use unprivileged ports in certain
+situations, which causes amd to stop dead in its tracks. This
+parameter allows amd to operate normally even on such systems, at the
+expense of a slight decrease in the security of its operations. If you
+see messages like ``ignoring request from foo:1234, port not
+reserved'' in your amd log, try enabling this parameter and give it
+another go.
+
+@c ----------------------------------------------------------------
+@node nfs_proto Parameter, nfs_retransmit_counter Parameter, nfs_allow_insecure_port Parameter, Global Parameters
@comment node-name, next, previous, up
@subsection @t{nfs_proto} Parameter
@cindex nfs_proto Parameter
# force NFS version or NFS protocol
nfs_vers = 2 | 3
nfs_proto = udp | tcp
+# allow NFS requests from insecure (>=1024) ports
+nfs_allow_insecure_port = yes | no
##############################################################################
# DEFINE AN AMD MOUNT POINT
.\"
.\" %W% (Berkeley) %G%
.\"
-.\" $Id: amd.conf.5,v 1.7.2.9 2004/01/06 03:15:25 ezk Exp $
+.\" $Id: amd.conf.5,v 1.7.2.10 2004/01/21 04:04:58 ib42 Exp $
.\"
.TH AMD.CONF 5 "7 August 1997"
.SH NAME
parameters change the overall retry interval. Too long an interval gives
poor interactive response; too short an interval causes excessive retries.
+.TP
+.BR nfs_allow_insecure_port " (string, default=no).
+Normally amd will refuse requests coming from unprivileged ports (i.e.
+ports >= 1024 on Unix systems), so that only privileged users and the kernel
+can send NFS requests to it. However, some kernels (certain versions of
+Darwin, MacOS X, and Linux) have bugs that cause them to use unprivileged
+ports in certain situations, which causes amd to stop dead in its
+tracks. This parameter allows amd to operate normally even on such systems,
+at the expense of a slight decrease in the security of its operations. If
+you see messages like "ignoring request from foo:1234, port not reserved"
+in your amd log, try enabling this parameter and give it another go.
+
.TP
.BR nfs_proto " (string, default to trying version tcp then udp)"
By default, amd tries TCP and then UDP. This option forces the overall NFS
projects / am-utils-6.0.git / commitdiff