From f7d4d2acec25b71b0f27a31712e74e294947a5ad Mon Sep 17 00:00:00 2001
From: fvdl <fvdl@NetBSD.org>
Date: Sun, 30 Mar 1997 20:53:31 +0000
Subject: [PATCH] Split handling reserved port handling for NFS rpcs and mount
 rpcs up; -noresport -> -noresvport, and new option: -noresvmnt

Include a warning in the exports manual page on how -alldirs does
not guarantee that all accesses from a client stay below the mounted
subdirectory.
---
 sbin/mountd/exports.5     | 26 ++++++++++++++++------
 sbin/mountd/mountd.8      |  2 +-
 sbin/mountd/mountd.c      | 47 +++++++++++++++++++++------------------
 usr.sbin/mountd/exports.5 | 26 ++++++++++++++++------
 usr.sbin/mountd/mountd.8  |  2 +-
 usr.sbin/mountd/mountd.c  | 47 +++++++++++++++++++++------------------
 6 files changed, 90 insertions(+), 60 deletions(-)

diff --git a/sbin/mountd/exports.5 b/sbin/mountd/exports.5
index 2c36b74efe66..ec7aa80c58a5 100644
--- a/sbin/mountd/exports.5
+++ b/sbin/mountd/exports.5
@@ -1,4 +1,4 @@
-.\"	$NetBSD: exports.5,v 1.10 1997/03/23 20:58:14 fvdl Exp $
+.\"	$NetBSD: exports.5,v 1.11 1997/03/30 20:53:31 fvdl Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -78,7 +78,12 @@ flag;
 this form allows the host(s) to mount at any point within the filesystem,
 including regular files if the
 .Fl r
-option is used on mountd.
+option is used on mountd. Note that the
+.Fl alldirs
+option should not be used as a security measure to make clients mount
+only those subdirectories that they should have access to. A client
+can still access the whole filesystem via individual RPCs if it
+wanted to, even if just one subdirectory has been mounted.
 The pathnames must not have any symbolic links in them and should not have
 any "." or ".." components.
 Mount points for a filesystem may appear on multiple lines each with
@@ -160,11 +165,18 @@ is a synonym for
 in an effort to be backward compatible with older export file formats.
 .Pp
 The
-.Fl noresport
-option specifies that requests for the filesystem do not have to come
-from reserved ports. Normally clients are required to use reserved
-ports for operations. This includes mount/unmount as well as individual
-NFS requests.
+.Fl noresvport
+option specifies that NFS RPC calls for the filesystem do not have to come
+from reserved ports. Normally, clients are required to use reserved
+ports for operations. Using this option decreases the security of your
+system.
+.Pp
+The
+.Fl noresvmnt
+option specifies that mount RPC requests for the filesystem do not have
+to come from reserved ports. Normally, clients are required to use reserved
+ports for mount requests. Using this option decreases the security of
+your system.
 .Pp
 The third component of a line specifies the host set to which the line applies.
 The set may be specified in three ways.
diff --git a/sbin/mountd/mountd.8 b/sbin/mountd/mountd.8
index a4ba371b9701..d2e4d8806608 100644
--- a/sbin/mountd/mountd.8
+++ b/sbin/mountd/mountd.8
@@ -1,4 +1,4 @@
-.\"	$NetBSD: mountd.8,v 1.13 1997/03/23 20:58:16 fvdl Exp $
+.\"	$NetBSD: mountd.8,v 1.14 1997/03/30 20:53:32 fvdl Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c
index dab12a75276a..23a08a0e36cb 100644
--- a/sbin/mountd/mountd.c
+++ b/sbin/mountd/mountd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: mountd.c,v 1.36 1997/03/23 20:58:18 fvdl Exp $	*/
+/*	$NetBSD: mountd.c,v 1.37 1997/03/30 20:53:33 fvdl Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -52,7 +52,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "@(#)mountd.c  8.15 (Berkeley) 5/1/95";
 #else
-static char rcsid[] = "$NetBSD: mountd.c,v 1.36 1997/03/23 20:58:18 fvdl Exp $";
+static char rcsid[] = "$NetBSD: mountd.c,v 1.37 1997/03/30 20:53:33 fvdl Exp $";
 #endif
 #endif /* not lint */
 
@@ -111,7 +111,7 @@ struct dirlist {
 #define	DP_DEFSET	0x1
 #define DP_HOSTSET	0x2
 #define DP_KERB		0x4
-#define DP_NORESPORT	0x8
+#define DP_NORESMNT	0x8
 
 struct exportlist {
 	struct exportlist *ex_next;
@@ -227,14 +227,15 @@ struct ucred def_anon = {
 };
 int opt_flags;
 /* Bits for above */
-#define	OP_MAPROOT	0x01
-#define	OP_MAPALL	0x02
-#define	OP_KERB		0x04
-#define	OP_MASK		0x08
-#define	OP_NET		0x10
-#define	OP_ISO		0x20
-#define	OP_ALLDIRS	0x40
-#define OP_NORESPORT	0x80
+#define	OP_MAPROOT	0x001
+#define	OP_MAPALL	0x002
+#define	OP_KERB		0x004
+#define	OP_MASK		0x008
+#define	OP_NET		0x010
+#define	OP_ISO		0x020
+#define	OP_ALLDIRS	0x040
+#define OP_NORESPORT	0x080
+#define OP_NORESMNT	0x100
 
 int debug = 0;
 void	SYSLOG __P((int, const char *, ...));
@@ -387,7 +388,7 @@ mntsrv(rqstp, transp)
 		     (defset && scan_tree(ep->ex_defdir, saddr.s_addr) == 0 &&
 		      scan_tree(ep->ex_dirl, saddr.s_addr) == 0))) {
 			if (sport >= IPPORT_RESERVED &&
-			    !(hostset & DP_NORESPORT)) {
+			    !(hostset & DP_NORESMNT)) {
 				syslog(LOG_NOTICE,
 				       "Refused mount RPC from host %s port %d",
 				       inet_ntoa(saddr), sport);
@@ -1057,14 +1058,14 @@ hang_dirp(dp, grp, ep, flags)
 			ep->ex_defdir->dp_flag |= DP_DEFSET;
 			if (flags & OP_KERB)
 				ep->ex_defdir->dp_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				ep->ex_defdir->dp_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				ep->ex_defdir->dp_flag |= DP_NORESMNT;
 		} else while (grp) {
 			hp = get_ht();
 			if (flags & OP_KERB)
 				hp->ht_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				hp->ht_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				hp->ht_flag |= DP_NORESMNT;
 			hp->ht_grp = grp;
 			hp->ht_next = ep->ex_defdir->dp_hosts;
 			ep->ex_defdir->dp_hosts = hp;
@@ -1123,8 +1124,8 @@ add_dlist(dpp, newdp, grp, flags)
 			hp = get_ht();
 			if (flags & OP_KERB)
 				hp->ht_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				hp->ht_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				hp->ht_flag |= DP_NORESMNT;
 			hp->ht_grp = grp;
 			hp->ht_next = dp->dp_hosts;
 			dp->dp_hosts = hp;
@@ -1134,8 +1135,8 @@ add_dlist(dpp, newdp, grp, flags)
 		dp->dp_flag |= DP_DEFSET;
 		if (flags & OP_KERB)
 			dp->dp_flag |= DP_KERB;
-		if (flags & OP_NORESPORT)
-			dp->dp_flag |= DP_NORESPORT;
+		if (flags & OP_NORESMNT)
+			dp->dp_flag |= DP_NORESMNT;
 	}
 }
 
@@ -1327,7 +1328,9 @@ do_opt(cpp, endcpp, ep, grp, has_hostp, exflagsp, cr)
 			opt_flags |= OP_NET;
 		} else if (!strcmp(cpopt, "alldirs")) {
 			opt_flags |= OP_ALLDIRS;
-		} else if (!strcmp(cpopt, "noresport")) {
+		} else if (!strcmp(cpopt, "noresvmnt")) {
+			opt_flags |= OP_NORESMNT;
+		} else if (!strcmp(cpopt, "noresvport")) {
 			opt_flags |= OP_NORESPORT;
 			*exflagsp |= MNT_EXNORESPORT;
 #ifdef ISO
@@ -1920,7 +1923,7 @@ del_mlist(hostp, dirp, saddr)
 	while (mlp) {
 		if (!strcmp(mlp->ml_host, hostp) &&
 		    (!dirp || !strcmp(mlp->ml_dirp, dirp))) {
-			if (!(mlp->ml_flag & DP_NORESPORT) &&
+			if (!(mlp->ml_flag & DP_NORESMNT) &&
 			    ntohs(sin->sin_port) >= IPPORT_RESERVED) {
 				syslog(LOG_NOTICE,
 				   "Umount request for %s:%s from %s refused\n",
diff --git a/usr.sbin/mountd/exports.5 b/usr.sbin/mountd/exports.5
index 2c36b74efe66..ec7aa80c58a5 100644
--- a/usr.sbin/mountd/exports.5
+++ b/usr.sbin/mountd/exports.5
@@ -1,4 +1,4 @@
-.\"	$NetBSD: exports.5,v 1.10 1997/03/23 20:58:14 fvdl Exp $
+.\"	$NetBSD: exports.5,v 1.11 1997/03/30 20:53:31 fvdl Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -78,7 +78,12 @@ flag;
 this form allows the host(s) to mount at any point within the filesystem,
 including regular files if the
 .Fl r
-option is used on mountd.
+option is used on mountd. Note that the
+.Fl alldirs
+option should not be used as a security measure to make clients mount
+only those subdirectories that they should have access to. A client
+can still access the whole filesystem via individual RPCs if it
+wanted to, even if just one subdirectory has been mounted.
 The pathnames must not have any symbolic links in them and should not have
 any "." or ".." components.
 Mount points for a filesystem may appear on multiple lines each with
@@ -160,11 +165,18 @@ is a synonym for
 in an effort to be backward compatible with older export file formats.
 .Pp
 The
-.Fl noresport
-option specifies that requests for the filesystem do not have to come
-from reserved ports. Normally clients are required to use reserved
-ports for operations. This includes mount/unmount as well as individual
-NFS requests.
+.Fl noresvport
+option specifies that NFS RPC calls for the filesystem do not have to come
+from reserved ports. Normally, clients are required to use reserved
+ports for operations. Using this option decreases the security of your
+system.
+.Pp
+The
+.Fl noresvmnt
+option specifies that mount RPC requests for the filesystem do not have
+to come from reserved ports. Normally, clients are required to use reserved
+ports for mount requests. Using this option decreases the security of
+your system.
 .Pp
 The third component of a line specifies the host set to which the line applies.
 The set may be specified in three ways.
diff --git a/usr.sbin/mountd/mountd.8 b/usr.sbin/mountd/mountd.8
index a4ba371b9701..d2e4d8806608 100644
--- a/usr.sbin/mountd/mountd.8
+++ b/usr.sbin/mountd/mountd.8
@@ -1,4 +1,4 @@
-.\"	$NetBSD: mountd.8,v 1.13 1997/03/23 20:58:16 fvdl Exp $
+.\"	$NetBSD: mountd.8,v 1.14 1997/03/30 20:53:32 fvdl Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index dab12a75276a..23a08a0e36cb 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: mountd.c,v 1.36 1997/03/23 20:58:18 fvdl Exp $	*/
+/*	$NetBSD: mountd.c,v 1.37 1997/03/30 20:53:33 fvdl Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -52,7 +52,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "@(#)mountd.c  8.15 (Berkeley) 5/1/95";
 #else
-static char rcsid[] = "$NetBSD: mountd.c,v 1.36 1997/03/23 20:58:18 fvdl Exp $";
+static char rcsid[] = "$NetBSD: mountd.c,v 1.37 1997/03/30 20:53:33 fvdl Exp $";
 #endif
 #endif /* not lint */
 
@@ -111,7 +111,7 @@ struct dirlist {
 #define	DP_DEFSET	0x1
 #define DP_HOSTSET	0x2
 #define DP_KERB		0x4
-#define DP_NORESPORT	0x8
+#define DP_NORESMNT	0x8
 
 struct exportlist {
 	struct exportlist *ex_next;
@@ -227,14 +227,15 @@ struct ucred def_anon = {
 };
 int opt_flags;
 /* Bits for above */
-#define	OP_MAPROOT	0x01
-#define	OP_MAPALL	0x02
-#define	OP_KERB		0x04
-#define	OP_MASK		0x08
-#define	OP_NET		0x10
-#define	OP_ISO		0x20
-#define	OP_ALLDIRS	0x40
-#define OP_NORESPORT	0x80
+#define	OP_MAPROOT	0x001
+#define	OP_MAPALL	0x002
+#define	OP_KERB		0x004
+#define	OP_MASK		0x008
+#define	OP_NET		0x010
+#define	OP_ISO		0x020
+#define	OP_ALLDIRS	0x040
+#define OP_NORESPORT	0x080
+#define OP_NORESMNT	0x100
 
 int debug = 0;
 void	SYSLOG __P((int, const char *, ...));
@@ -387,7 +388,7 @@ mntsrv(rqstp, transp)
 		     (defset && scan_tree(ep->ex_defdir, saddr.s_addr) == 0 &&
 		      scan_tree(ep->ex_dirl, saddr.s_addr) == 0))) {
 			if (sport >= IPPORT_RESERVED &&
-			    !(hostset & DP_NORESPORT)) {
+			    !(hostset & DP_NORESMNT)) {
 				syslog(LOG_NOTICE,
 				       "Refused mount RPC from host %s port %d",
 				       inet_ntoa(saddr), sport);
@@ -1057,14 +1058,14 @@ hang_dirp(dp, grp, ep, flags)
 			ep->ex_defdir->dp_flag |= DP_DEFSET;
 			if (flags & OP_KERB)
 				ep->ex_defdir->dp_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				ep->ex_defdir->dp_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				ep->ex_defdir->dp_flag |= DP_NORESMNT;
 		} else while (grp) {
 			hp = get_ht();
 			if (flags & OP_KERB)
 				hp->ht_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				hp->ht_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				hp->ht_flag |= DP_NORESMNT;
 			hp->ht_grp = grp;
 			hp->ht_next = ep->ex_defdir->dp_hosts;
 			ep->ex_defdir->dp_hosts = hp;
@@ -1123,8 +1124,8 @@ add_dlist(dpp, newdp, grp, flags)
 			hp = get_ht();
 			if (flags & OP_KERB)
 				hp->ht_flag |= DP_KERB;
-			if (flags & OP_NORESPORT)
-				hp->ht_flag |= DP_NORESPORT;
+			if (flags & OP_NORESMNT)
+				hp->ht_flag |= DP_NORESMNT;
 			hp->ht_grp = grp;
 			hp->ht_next = dp->dp_hosts;
 			dp->dp_hosts = hp;
@@ -1134,8 +1135,8 @@ add_dlist(dpp, newdp, grp, flags)
 		dp->dp_flag |= DP_DEFSET;
 		if (flags & OP_KERB)
 			dp->dp_flag |= DP_KERB;
-		if (flags & OP_NORESPORT)
-			dp->dp_flag |= DP_NORESPORT;
+		if (flags & OP_NORESMNT)
+			dp->dp_flag |= DP_NORESMNT;
 	}
 }
 
@@ -1327,7 +1328,9 @@ do_opt(cpp, endcpp, ep, grp, has_hostp, exflagsp, cr)
 			opt_flags |= OP_NET;
 		} else if (!strcmp(cpopt, "alldirs")) {
 			opt_flags |= OP_ALLDIRS;
-		} else if (!strcmp(cpopt, "noresport")) {
+		} else if (!strcmp(cpopt, "noresvmnt")) {
+			opt_flags |= OP_NORESMNT;
+		} else if (!strcmp(cpopt, "noresvport")) {
 			opt_flags |= OP_NORESPORT;
 			*exflagsp |= MNT_EXNORESPORT;
 #ifdef ISO
@@ -1920,7 +1923,7 @@ del_mlist(hostp, dirp, saddr)
 	while (mlp) {
 		if (!strcmp(mlp->ml_host, hostp) &&
 		    (!dirp || !strcmp(mlp->ml_dirp, dirp))) {
-			if (!(mlp->ml_flag & DP_NORESPORT) &&
+			if (!(mlp->ml_flag & DP_NORESMNT) &&
 			    ntohs(sin->sin_port) >= IPPORT_RESERVED) {
 				syslog(LOG_NOTICE,
 				   "Umount request for %s:%s from %s refused\n",