From 614529c59123d3f2a20a6ee9a99d362a7d35e5b1 Mon Sep 17 00:00:00 2001 From: Raghavendra Bhat Date: Fri, 8 Feb 2013 11:44:41 +0530 Subject: rpc: bring in root-squashing behavior in rpc * requests coming in as root are converted to nfsnobody * with open-behind some acl checks wont happen and nfsnobody can read the file "whose owner is root and other users do not have permission to read the file". This is becasue open-behind does not send the open to the brick and sends success to the application, thus the acl related tests on the file wont happen which would have prevented the file from being opened. Change-Id: I73afbfd904f0beb3a2ebe807b938ac2fecd4976b BUG: 887145 Signed-off-by: Raghavendra Bhat Reviewed-on: http://review.gluster.org/4516 Tested-by: Gluster Build System Reviewed-by: Anand Avati --- xlators/protocol/server/src/server.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'xlators/protocol') diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 9e60febfb..3a5f84b1d 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -993,6 +993,7 @@ reconfigure (xlator_t *this, dict_t *options) } (void) rpcsvc_set_allow_insecure (rpc_conf, options); + (void) rpcsvc_set_root_squash (rpc_conf, options); list_for_each_entry (listeners, &(rpc_conf->listeners), list) { if (listeners->trans != NULL) { if (listeners->trans->reconfigure ) @@ -1274,6 +1275,14 @@ struct volume_options options[] = { { .key = {"rpc-auth-allow-insecure"}, .type = GF_OPTION_TYPE_BOOL, }, + { .key = {"root-squash"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "off", + .description = "Map requests from uid/gid 0 to the anonymous " + "uid/gid. Note that this does not apply to any other" + "uids or gids that might be equally sensitive, such as" + "user bin or group staff." + }, { .key = {"statedump-path"}, .type = GF_OPTION_TYPE_PATH, .default_value = DEFAULT_VAR_RUN_DIRECTORY, -- cgit