Subject: Re: encrypted swap?
To: Olaf Seibert <rhialto@polderland.nl>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 06/08/2001 11:47:51
> I've been trying to rectify that, by adding a port number option to
> mount_nfs, but somehow this failed so far.
That's one of the things I did to mount_nfs back when I had occasion to
hack on it a bit (I needed to tell whether a foreign NFS server really
was restricting access as it should be, or whether all the checking was
in mountd and friends).
Here's what I did. It's relative to a relatively old mount_nfs, but it
may be of some use to you. You may want to rip out the handle stuff.
--- OLD/sbin/mount_nfs/mount_nfs.8 Thu Jan 1 00:00:00 1970
+++ NEW/sbin/mount_nfs/mount_nfs.8 Thu Jan 1 00:00:00 1970
@@ -42,7 +42,7 @@
.Sh SYNOPSIS
.Nm ""
.Bk -words
-.Op Fl 23KPTUbcCdilqs
+.Op Fl 23KPTUbcCdilqsh
.Ek
.Bk -words
.Op Fl D Ar deadthresh
@@ -78,6 +78,12 @@
.Op Fl w Ar writesize
.Ek
.Bk -words
+.Op Fl H Ar handle
+.Ek
+.Bk -words
+.Op Fl Q Ar port
+.Ek
+.Bk -words
.Op Fl x Ar retrans
.Ek
.Ar rhost:path node
@@ -207,6 +213,15 @@
Used with the
.Fl K
option for mounts to other realms.
+.It Fl h
+Print out the filehandle being used for the mount.
+.It Fl H
+Explicitly specify the filehandle to be used, in the same format as output by
+.Fl h ,
+rather than doing the usual mount RPC.
+.It Fl Q
+Explicitly specify the port number to be used for NFS traffic, rather than
+querying the portmapper on the target host.
.It Fl o
Options are specified with a
.Fl o
--- OLD/sbin/mount_nfs/mount_nfs.c Thu Jan 1 00:00:00 1970
+++ NEW/sbin/mount_nfs/mount_nfs.c Thu Jan 1 00:00:00 1970
@@ -169,6 +169,9 @@
int mnttcp_ok = 1;
int force2 = 0;
int force3 = 0;
+char *havehandle = 0;
+int showhandle = 0;
+int nfsport = 0;
#ifdef NFSKERB
char inst[INST_SZ];
@@ -226,7 +229,7 @@
nfsargs = nfsdefargs;
nfsargsp = &nfsargs;
while ((c = getopt(argc, argv,
- "23a:bcCdD:g:I:iKL:lm:o:PpqR:r:sTt:w:x:UX")) != -1)
+ "23a:bcCdD:g:hH:I:iKL:lm:o:PpQ:qR:r:sTt:w:x:UX")) != -1)
switch (c) {
case '3':
if (force2)
@@ -275,6 +278,12 @@
nfsargsp->flags |= NFSMNT_MAXGRPS;
break;
#endif
+ case 'h':
+ showhandle = 1;
+ break;
+ case 'H':
+ havehandle = optarg;
+ break;
case 'I':
num = strtol(optarg, &p, 10);
if (*p || num <= 0)
@@ -361,6 +370,11 @@
case 'p':
nfsargsp->flags &= ~NFSMNT_RESVPORT;
break;
+ case 'Q':
+ nfsport = strtol(optarg,&p,0);
+ if (*p || (nfsport <= 0) || (nfsport > 65535))
+ errx(1,"illegal -Q value -- %s", optarg);
+ break;
case 'q':
if (force2)
errx(1,"nqnfs only available with v3");
@@ -437,6 +451,10 @@
if (!getnfsargs(spec, nfsargsp))
exit(1);
+ if (showhandle) {
+ for (i=0;i<nfsargsp->fhsize;i++) printf("%02x",((unsigned char *)nfsargsp->fh)[i]);
+ printf("\n");
+ }
if (mount(MOUNT_NFS, name, mntflags, nfsargsp))
err(1, "%s on %s", ospec, name);
if (nfsargsp->flags & (NFSMNT_NQNFS | NFSMNT_KERB)) {
@@ -642,16 +660,36 @@
nfsvers = NFS_VER3;
mntvers = RPCMNT_VER3;
}
+
+ if (havehandle) {
+ if (!force2 && !force3) {
+ warnx("-H requires -2 or -3");
+ return(0);
+ }
+ }
+
orgcnt = retrycnt;
tryagain:
nfhret.stat = EACCES; /* Mark not yet successful */
while (retrycnt > 0) {
saddr.sin_family = AF_INET;
saddr.sin_port = htons(PMAPPORT);
- if ((tport = pmap_getport(&saddr, RPCPROG_NFS,
- nfsvers, nfsproto )) == 0) {
+ tport = nfsport ?: pmap_getport(&saddr, RPCPROG_NFS, nfsvers, nfsproto);
+ if (tport == 0) {
if ((opflags & ISBGRND) == 0)
clnt_pcreateerror("NFS Portmap");
+ } else if (havehandle) {
+ nfhret.fhsize = strlen(havehandle) / 2;
+ for (i=0;i<nfhret.fhsize;i++) {
+ int v;
+ if (sscanf(havehandle+i+i,"%2x",&v) != 1) {
+ warnx("invalid -H argument");
+ return(0);
+ }
+ nfhret.nfh[i] = v;
+ }
+ nfhret.stat = 0;
+ retrycnt = 0;
} else {
saddr.sin_port = 0;
pertry.tv_sec = 10;
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B