netbsd-bugs: bin/10608: mountd(8) ignores -noresvport/-noresvmnt if there's no host specified

Subject: bin/10608: mountd(8) ignores -noresvport/-noresvmnt if there's no host specified
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 07/17/2000 17:50:46

>Number:         10608
>Category:       bin
>Synopsis:       mountd(8) ignores -noresvport/-noresvmnt if there's no host specified
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 16 07:03:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        latest current
>Organization:
	itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5B NetBSD 1.5B (STARFRUIT) #60: Sun Jul 16 20:30:21 JST 2000 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386


>Description:
	if we specify a line in exports(5) like below (with no host
	specification - meaning everyone can mount), mountd(8) will fail
	to use the specified -noresvport/-noresvmnt on mount request.
		/usr -ro -noresvport -noresvmnt

	The problem happens when the last condition in the following
	portion of usr.sbin/mountd/mountd.c is used:
		   (defset && scan_tree(ep->ex_defdir, saddr) == 0 &&
		   scan_tree(ep->ex_dirl, saddr) == 0))) {
	The portion is used when no hostname is specified on exports(5)
	line.  The code does not set the export flags in the export list
	database into variable "hostset".  hostset will be zero on port
	number check.  as a result, mountd does not permit mount request
	from non-privileged port.

from line 593:
		if (ep && (chk_host(ep->ex_defdir, saddr, &defset,
		   &hostset) || ((dp = dirp_search(ep->ex_dirl, dirpath)) &&
		   chk_host(dp, saddr, &defset, &hostset)) ||
		   (defset && scan_tree(ep->ex_defdir, saddr) == 0 &&
		   scan_tree(ep->ex_dirl, saddr) == 0))) {
			if (sport >= IPPORT_RESERVED &&
			    !(hostset & DP_NORESMNT)) {
				syslog(LOG_NOTICE,
				    "Refused mount RPC from host %s port %d",
				    numerichost, sport);
				svcerr_weakauth(transp);
				goto out;
			}

>How-To-Repeat:
	put a line like this (with no host specified) into /etc/exports.
		/usr -ro -noresvport -noresvmnt
	try to mount the partition from Solaris8 nfs client, which uses
	non-privileged source tcp/udp port.  see the mount attempt fails
	"you did not use the privileged port" error.

	NOTE: it is not possible to repeat the problem from netbsd
	nfs client, as netbsd nfs client always use privileged source
	port for mount request - "mount_nfs -p" only changes nfs source
	port, not the mount source port.

>Fix:
	- workaronud: use privileged port from solaris nfs client.
	- workaround: specify some hostname in exports(5) line.
	- scan_tree() should propagate export flags upto "hostset" varaible
	  somehow.
	- mountd(8) code for handling exports(5) options is rather complex.
	  it may be better to clean it up from scratch.
>Release-Note:
>Audit-Trail:
>Unformatted: