1804912 – insecure export option is ignored if a wildcard entry matches the client IP, even if the export path does not match

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1804912 - insecure export option is ignored if a wildcard entry matches the client IP, even if the export path does not match

Summary: insecure export option is ignored if a wildcard entry matches the client IP, ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	nfs-utils
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1825061
TreeView+	depends on / blocked

Reported:	2020-02-19 21:18 UTC by Frank Sorenson
Modified:	2021-05-18 15:05 UTC (History)
CC List:	9 users (show)
Fixed In Version:	nfs-utils-2.3.3-41.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:04:48 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Frank Sorenson 2020-02-19 21:18:00 UTC

Description of problem:


When a wildcard entry exists which matches the IP performing a mount, and an entry exists for the specific IP, the 'insecure' export option ignored for all exports matching the IP, regardless of whether the path being mounted actually matches the export being accessed.



Version-Release number of selected component (if applicable):

kernels:
  kernel-4.18.0-147.el8.x86_64
  upstream (as of 5.6.0-rc2)

nfs-utils 2.3.3-14.el8.x86_64


How reproducible:

easy, see steps below


Steps to Reproduce:

create ssh tunnel, forwarding port to 2049, try to mount through the tunnel:

setup:
    # ssh -L 12345:127.0.0.1:2049 localhost

    # mkdir -p /srv/nfs_export{1,2} /mnt/tmp
    # touch /srv/nfs_export1/file_on_nfs_export1
    # touch /srv/nfs_export2/file_on_nfs_export2

    # echo "/srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534)
/srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure)" >> /etc/exports
    # exportfs -arv
    exporting 127.0.0.1:/srv/nfs_export2
    exporting *:/srv/nfs_export1


mount:
    # mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
    mount.nfs: Operation not permitted



Actual results:

    mount fails

(note that the wildcard export entry which has the default 'secure' is for a separate path than is being mounted)



Expected results:

    mount succeeds



Additional info:


enabled some rpcdebug:

# rpcdebug -m nfsd -s export
# rpcdebug -m nfs -s root client mount

also enabled mountd debugging in /etc/nfs.conf:
[mountd]
debug=all

# systemctl restart nfs-mountd.service


regardless of whether mount attempt is for /srv/nfs_export1 or /srv/nfs_export2, it fails; the /proc/net/rpc/nfsd.export/content contains the following:

# cat /proc/net/rpc/nfsd.export/content 
#path domain(flags)
/	*,127.0.0.1(ro,root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)

# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
mount.nfs: Operation not permitted

messages show:
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'port'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'hard'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'sec'
Feb 19 14:05:17 vm8 kernel: NFS: parsing sec=sys option
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'tcp'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'vers'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'addr'
Feb 19 14:05:17 vm8 kernel: NFS:   parsing nfs mount option 'clientaddr'
Feb 19 14:05:17 vm8 kernel: NFS: MNTPATH: '/srv/nfs_share2'
Feb 19 14:05:17 vm8 kernel: --> nfs4_try_get_tree()
Feb 19 14:05:17 vm8 kernel: nfs_create_rpc_client: cannot create RPC client. Error = -22
Feb 19 14:05:17 vm8 rpc.mountd[16043]: auth_unix_ip: inbuf 'nfsd 127.0.0.1'
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/' flags 0x12407
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/srv' flags 0x10407
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/' flags 0x12405
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/srv' flags 0x10405
Feb 19 14:05:17 vm8 rpc.mountd[16043]: auth_unix_ip: client 0x556fc16870a0 '*,127.0.0.1'
Feb 19 14:05:17 vm8 rpc.mountd[16043]: nfsd_fh: inbuf '*,127.0.0.1 1 \x00000000'
Feb 19 14:05:17 vm8 rpc.mountd[16043]: nfsd_fh: found 0x556fc1687d30 path /
Feb 19 14:05:17 vm8 kernel: found domain *,127.0.0.1
Feb 19 14:05:17 vm8 kernel: found fsidtype 1
Feb 19 14:05:17 vm8 kernel: found fsid length 4
Feb 19 14:05:17 vm8 kernel: Path seems to be </>
Feb 19 14:05:17 vm8 kernel: Found the path /
Feb 19 14:05:17 vm8 kernel: nfs4_get_rootfh: getroot error = 1
Feb 19 14:05:17 vm8 kernel: NFS4: Couldn't follow remote path
Feb 19 14:05:17 vm8 kernel: <-- nfs4_try_get_tree() = -1 [error]



modifying /etc/exports to remove the wildcard, the expected 'secure'/'insecure' will be effective:
/srv/nfs_export1 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534)
/srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure)

# exportfs -arv
exporting 127.0.0.1:/srv/nfs_export2
exporting 127.0.0.1:/srv/nfs_export1

# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
(success)

Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'port'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'hard'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'sec'
Feb 19 14:09:16 vm8 kernel: NFS: parsing sec=sys option
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'tcp'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'vers'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'addr'
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'clientaddr'
Feb 19 14:09:16 vm8 kernel: NFS: MNTPATH: '/srv/nfs_export2'
Feb 19 14:09:16 vm8 kernel: --> nfs4_try_get_tree()
Feb 19 14:09:16 vm8 kernel: nfs_create_rpc_client: cannot create RPC client. Error = -22
Feb 19 14:09:16 vm8 rpc.mountd[16043]: auth_unix_ip: inbuf 'nfsd 127.0.0.1'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: v4root_create: path '/' flags 0x12405
Feb 19 14:09:16 vm8 rpc.mountd[16043]: v4root_create: path '/srv' flags 0x10405
Feb 19 14:09:16 vm8 rpc.mountd[16043]: auth_unix_ip: client 0x556fc167c850 '127.0.0.1'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_fh: inbuf '127.0.0.1 1 \x00000000'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_fh: found 0x556fc1687d30 path /
Feb 19 14:09:16 vm8 kernel: found domain 127.0.0.1
Feb 19 14:09:16 vm8 kernel: found fsidtype 1
Feb 19 14:09:16 vm8 kernel: found fsid length 4
Feb 19 14:09:16 vm8 kernel: Path seems to be </>
Feb 19 14:09:16 vm8 kernel: Found the path /
Feb 19 14:09:16 vm8 kernel: Server FSID: 0:0
Feb 19 14:09:16 vm8 kernel: Pseudo-fs root FH at 0000000076ca0527 is 8 bytes, crc: 0x62d40c52:
Feb 19 14:09:16 vm8 kernel: 01000100 00000000
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:09:16 vm8 kernel: NFS: MNTPATH: '/'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_export: inbuf '127.0.0.1 /srv'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_export: found 0x556fc1688230 path /srv
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_fh: inbuf '127.0.0.1 7 \x981102080000000078e19a2c05c8424db5c60aef753975e5'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_fh: found 0x556fc1688240 path /srv
Feb 19 14:09:16 vm8 kernel: found domain 127.0.0.1
Feb 19 14:09:16 vm8 kernel: found fsidtype 7
Feb 19 14:09:16 vm8 kernel: found fsid length 24
Feb 19 14:09:16 vm8 kernel: Path seems to be </srv>
Feb 19 14:09:16 vm8 kernel: Found the path /srv
Feb 19 14:09:16 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:09:16 vm8 kernel: NFS: MNTPATH: '/srv'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_export: inbuf '127.0.0.1 /srv/nfs_export2'
Feb 19 14:09:16 vm8 rpc.mountd[16043]: nfsd_export: found 0x556fc168c0c0 path /srv/nfs_export2
Feb 19 14:09:16 vm8 kernel: <-- nfs4_try_get_tree() = 0


# cat /proc/net/rpc/nfsd.export/content 
#path domain(flags)
/srv/nfs_export2	127.0.0.1(ro,insecure,root_squash,sync,wdelay,no_subtree_check,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=1)
/	127.0.0.1(ro,insecure,root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)
/srv	127.0.0.1(ro,insecure,root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)


attempting to mount export1 fails (also as expected), and the following is added to the kernel's export cache:

/srv/nfs_export1	127.0.0.1(ro,root_squash,sync,wdelay,no_subtree_check,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=1)


Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'port'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'hard'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'sec'
Feb 19 14:13:31 vm8 kernel: NFS: parsing sec=sys option
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'tcp'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'vers'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'addr'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'clientaddr'
Feb 19 14:13:31 vm8 kernel: NFS: MNTPATH: '/srv/nfs_export1'
Feb 19 14:13:31 vm8 kernel: --> nfs4_try_get_tree()
Feb 19 14:13:31 vm8 kernel: nfs_create_rpc_client: cannot create RPC client. Error = -22
Feb 19 14:13:31 vm8 kernel: Server FSID: 0:0
Feb 19 14:13:31 vm8 kernel: Pseudo-fs root FH at 0000000096bed493 is 8 bytes, crc: 0x62d40c52:
Feb 19 14:13:31 vm8 kernel: 01000100 00000000
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:13:31 vm8 kernel: NFS: MNTPATH: '/'
Feb 19 14:13:31 vm8 kernel: NFS:   parsing nfs mount option 'source'
Feb 19 14:13:31 vm8 kernel: NFS: MNTPATH: '/srv'
Feb 19 14:13:31 vm8 rpc.mountd[16043]: nfsd_export: inbuf '127.0.0.1 /srv/nfs_export1'
Feb 19 14:13:31 vm8 rpc.mountd[16043]: nfsd_export: found 0x556fc1687810 path /srv/nfs_export1
Feb 19 14:13:31 vm8 kernel: NFS4: Couldn't follow remote path
Feb 19 14:13:31 vm8 kernel: <-- nfs4_try_get_tree() = -1 [error]




# mount.nfs 127.0.0.1:/srv/nfs_share1 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
mount.nfs: Operation not permitted

kernel logs:

[76747.915596] NFS:   parsing nfs mount option 'source'
[76747.915602] NFS:   parsing nfs mount option 'port'
[76747.915605] NFS:   parsing nfs mount option 'hard'
[76747.915607] NFS:   parsing nfs mount option 'sec'
[76747.915609] NFS: parsing sec=sys option
[76747.915610] NFS:   parsing nfs mount option 'tcp'
[76747.915612] NFS:   parsing nfs mount option 'vers'
[76747.915614] NFS:   parsing nfs mount option 'addr'
[76747.915617] NFS:   parsing nfs mount option 'clientaddr'
[76747.915620] NFS: MNTPATH: '/srv/nfs_share1'
[76747.915624] --> nfs4_try_get_tree()
[76747.915949] nfs_create_rpc_client: cannot create RPC client. Error = -22
[76747.937776] Server FSID: 0:0
[76747.937782] Pseudo-fs root FH at 000000009df23515 is 8 bytes, crc: 0x62d40c52:
[76747.937803]  01000100 00000000
[76747.939280] NFS:   parsing nfs mount option 'source'
[76747.939283] NFS: MNTPATH: '/'
[76747.942762] found domain *,127.0.0.1
[76747.942764] found fsidtype 7
[76747.942765] found fsid length 24
[76747.942767] Path seems to be </srv>
[76747.942769] Found the path /srv
[76747.953781] NFS4: Couldn't follow remote path
[76747.954155] <-- nfs4_try_get_tree() = -1 [error]



(order in exports file does not matter)


some other export options are not affected in this way:
for example, wdelay/no_wdelay:
    /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,insecure,wdelay)
    /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure,no_wdelay)

# mount.nfs 127.0.0.1:/srv/nfs_export1 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
# umount /mnt/tmp
# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
# umount /mnt/tmp

# cat /proc/net/rpc/nfsd.export/content
#path domain(flags)
/srv/nfs_export1	*,127.0.0.1(ro,insecure,root_squash,sync,wdelay,no_subtree_check,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=1)
/srv/nfs_export2	*,127.0.0.1(ro,insecure,root_squash,sync,no_wdelay,no_subtree_check,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=1)
/	*,127.0.0.1(ro,insecure,root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)
/srv	*,127.0.0.1(ro,insecure,root_squash,sync,no_wdelay,no_subtree_check,v4root,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)

(unless accompanied by 'insecure':
    /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,wdelay)
    /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure,no_wdelay)

# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
mount.nfs: Operation not permitted

# mount.nfs 127.0.0.1:/srv/nfs_export1 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
mount.nfs: Operation not permitted

# cat /proc/net/rpc/nfsd.export/content
#path domain(flags)
/	*,127.0.0.1(ro,root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)



The presence of the wildcard entry causes 'secure' to be enforced, regardless of whether the wildcard or specific entry is the one specifying 'insecure'; either is sufficient for 'secure' to be enforced (for example, the following all enforce 'secure' for both exports:

    /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
    /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,secure)
and
    /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
    /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534)
and
    /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,secure)
    /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure)

Comment 1 Yongcheng Yang 2020-02-20 12:44:52 UTC

(In reply to Frank Sorenson from comment #0)
> ...
> The presence of the wildcard entry causes 'secure' to be enforced,
> regardless of whether the wildcard or specific entry is the one specifying
> 'insecure'; either is sufficient for 'secure' to be enforced (for example,
> the following all enforce 'secure' for both exports:
> 
>     /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
>     /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,secure)
> and
>     /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
>     /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534)
> and
>     /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534,secure)
>     /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
>

Have reproduced this problem. Will try to add them into testcase.

P.s. there're 2 other issues in parsing options:
Bug 1246387 - Can mount a sub-directory disregarding the IP-restrict when the export has a wildcard and an IP-restricted submount export
Bug 1359042 - /etc/exports parsing is broken leading default option cannot be overridden by the host-specific option

Comment 2 Steve Whitehouse 2020-03-13 09:26:08 UTC

SteveD, this looks like an important one to fix. Please take a look.

Comment 3 Steve Whitehouse 2020-04-14 10:26:16 UTC

SteveD, please provide an update for this bug, since it is on the RPL

Comment 4 Steve Dickson 2020-04-20 12:53:16 UTC

I too was able to reproduce this and what is 
causing the failure, as "rpcdebug -m nfsd -s proc" 
shows, a callback socket can not be created.

NFSD: warning: no callback path to client Linux NFSv4.2: error -22

which probably has something to do with the ssh tunnel. Is this 
a truly supported configuration? 

Now the secure vs insecure issue... I 'm thinking 
it is valid for an  wildcard secure export to 
override an explicit address insecure export
since the address is included in the wildcard

The same goes for the same two explicit addresses.
The secure export should override the insecure 
export. 

Adding Bruce in to get his thoughts.

Comment 5 J. Bruce Fields 2020-04-20 14:51:59 UTC

Apologies, I haven't looked into this in detail, but one thing that jumps out at me:

(In reply to Frank Sorenson from comment #0)
> When a wildcard entry exists which matches the IP performing a mount, and an
> entry exists for the specific IP, the 'insecure' export option ignored for
> all exports matching the IP, regardless of whether the path being mounted
> actually matches the export being accessed.

Those exports might actually match, in a sense:

> setup:
>     # ssh -L 12345:127.0.0.1:2049 localhost
> 
>     # mkdir -p /srv/nfs_export{1,2} /mnt/tmp
>     # touch /srv/nfs_export1/file_on_nfs_export1
>     # touch /srv/nfs_export2/file_on_nfs_export2

Both of them are on the same filesystem.  In some cases it can be difficult for the server to distinguish two exports that share the same filesystem.

I haven't thought through whether this falls into one of those cases, but it would worth actually mounting different filesystems on /srv/nfs_export1 and /srv/nfs_export2 and seeing if the problem still reproduces.

> I too was able to reproduce this and what is causing the failure, as "rpcdebug -m nfsd -s proc"
> shows, a callback socket can not be created.

With NFS versions 4.1 and higher, the backchannel shares the preexisting tcp connection.  I don't know why that's failing.  Also, I wouldn't necessarily expect that "no callback path" problem to cause the mount to fail.  A network trace might be interesting.

Comment 6 J. Bruce Fields 2020-04-20 14:54:09 UTC

(In reply to J. Bruce Fields from comment #5)
> Both of them are on the same filesystem.  In some cases it can be difficult
> for the server to distinguish two exports that share the same filesystem.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1624841

Comment 16 J. Bruce Fields 2020-12-01 22:50:37 UTC

Looking more carefully, I think there's a real bug in nfs-utils/utils/mountd/v4root.c:

Feb 19 14:05:17 vm8 rpc.mountd[16043]: auth_unix_ip: inbuf 'nfsd 127.0.0.1'
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/' flags 0x12407
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/srv' flags 0x10407
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/' flags 0x12405
Feb 19 14:05:17 vm8 rpc.mountd[16043]: v4root_create: path '/srv' flags 0x10405

NFSEXP_INSECURE_PORT is 2, so 0x12407 has that bit set, and 0x12405 does not.

And sure NFSEXP_INSECURE_PORT isn't ending up set on "/":

# cat /proc/net/rpc/nfsd.export/content 
#path domain(flags)
/	*,127.0.0.1(ro,root_squash,sync,no_wdelay,no_subtree_check,v4root,fsid=0,uuid=78e19a2c:05c8424d:b5c60aef:753975e5,sec=390003:390004:390005:1)


The pseudofs root should have permissions as permissive as any of the exports under it, otherwise a v4 client can't traverse down to the export it's looking for.

But this seems to instead be some sort of last-writer-wins behavior.

Comment 17 J. Bruce Fields 2020-12-02 02:46:28 UTC

Actually--remembering now how this works--mountd creates two exports with path "/", one with 127.0.0.1 and with *, and in happens that * is the one that ends up matching in this case.

I think we probably need to have both exports, so we have to arrange for both of them to get the insecure flag.

I'll see if I can come up with a patch.

Comment 18 J. Bruce Fields 2020-12-02 23:06:02 UTC

Patches posted upstream.  Confession: I haven't actually tested....  They seem simple enough, and it sounds like Steve and Frank both had easy reproducers set up, so I was hoping one of you wouldn't mind trying it.

https://lore.kernel.org/linux-nfs/1606949804-31417-1-git-send-email-bfields@fieldses.org/T/#t

Comment 19 Jacob Shivers 2020-12-22 21:55:38 UTC

(In reply to J. Bruce Fields from comment #18)
> Patches posted upstream.  Confession: I haven't actually tested....  They
> seem simple enough, and it sounds like Steve and Frank both had easy
> reproducers set up, so I was hoping one of you wouldn't mind trying it.
> 
> https://lore.kernel.org/linux-nfs/1606949804-31417-1-git-send-email-
> bfields/T/#t

Tested the patches. Now the 'insecure' export option is associated with the corresponding export as expected:

Hello Trevor,

Thank you for your patience while I tested the recently submitted patches.
I can confirm that the patches do allow for the expected interpretation of the insecure export option
based on the associated export.


# git clone git://git.linux-nfs.org/projects/steved/nfs-utils.git
# cd nfs-utils
# git pull master
# git checkout -b fs-mountd

# wget 'https://lore.kernel.org/linux-nfs/1606958097-9041-1-git-send-email-bfields@fieldses.org/raw' -O mountd-1.patch
# wget 'https://lore.kernel.org/linux-nfs/1606958097-9041-2-git-send-email-bfields@fieldses.org/raw' -O mountd-2.patch

# patch -p1 < mountd-1.patch
# patch -p1 < mountd-2.patch

# sh autogen.sh

# ./configure
# make
# make install

# rpc.mountd --version
rpc.mountd version 2.5.2

# mkdir -p /srv/nfs_export{1,2} /mnt/tmp
# touch /srv/nfs_export1/file_on_nfs_export1
# touch /srv/nfs_export2/file_on_nfs_export2

# cat <<EOF >> /etc/exports
> /srv/nfs_export1 *(sync,sec=sys,anonuid=65534,anongid=65534)
> /srv/nfs_export2 127.0.0.1(sync,sec=sys,anonuid=65534,anongid=65534,insecure)
> EOF

# exportfs -arv
# systemctl start nfs-server

# ssh -L 12345:127.0.0.1:2049 localhost

# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
# grep /mnt/tmp /proc/self/mounts
127.0.0.1:/srv/nfs_export2 /mnt/tmp nfs4 rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=12345,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1 0 0

Comment 20 Steve Dickson 2020-12-26 19:34:34 UTC

commit cb5f167cf9c2af94d9928c1ee3aa72c8e5c812f4
Author: J. Bruce Fields <bfields>
Date:   Sat Dec 26 14:21:10 2020 -0500

    mountd: never root squash on the pseudofs


commit 0b83ba9466b27a54672c75ad651ebb2535afecf1
Author: J. Bruce Fields <bfields>
Date:   Sat Dec 26 14:18:12 2020 -0500

    mountd: allow high ports on all pseudofs exports

Comment 26 Yongcheng Yang 2021-01-21 09:00:58 UTC

Verified in nfs-utils-2.3.3-41.el8:
~~~~~~~~~~~~~~~~~~~~~~~~
[root@kvm-06-guest17 ~]# ssh -L 12345:127.0.0.1:2049 localhost
root@localhost's password:
...
Last login: Thu Jan 21 03:57:28 2021 from ::1
[root@kvm-06-guest17 ~]# systemctl restart nfs-server
[root@kvm-06-guest17 ~]# rpm -q nfs-utils
nfs-utils-2.3.3-41.el8.x86_64
[root@kvm-06-guest17 ~]# exportfs -v
/srv/nfs_export2
                127.0.0.1(sync,wdelay,hide,no_subtree_check,sec=sys,ro,insecure,root_squash,no_all_squash)
/srv/nfs_export1
                <world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
[root@kvm-06-guest17 ~]# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
[root@kvm-06-guest17 ~]# nfsstat -m
/mnt/tmp from 127.0.0.1:/srv/nfs_export2
 Flags: rw,relatime,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,port=12345,timeo=600,retrans=2,sec=sys,clientad
dr=127.0.0.1,local_lock=none,addr=127.0.0.1

[root@kvm-06-guest17 ~]# umount /mnt/tmp/
[root@kvm-06-guest17 ~]# exit
logout
Connection to localhost closed.
[root@kvm-06-guest17 ~]#

Compared with the prevous logs of failure:
~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@kvm-06-guest17 ~]# exportfs -v
/srv/nfs_export2
                127.0.0.1(sync,wdelay,hide,no_subtree_check,sec=sys,ro,insecure,root_squash,no_all_squash)
/srv/nfs_export1
                <world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
[root@kvm-06-guest17 ~]# mount.nfs 127.0.0.1:/srv/nfs_export2 /mnt/tmp -o port=12345,hard,sec=sys,tcp,vers=4.2
mount.nfs: Operation not permitted     <<<<<<<
[root@kvm-06-guest17 ~]# rpm -q nfs-utils
nfs-utils-2.3.3-40.el8.x86_64

Comment 28 errata-xmlrpc 2021-05-18 15:04:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nfs-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1669

Note You need to log in before you can comment on or make changes to this bug.