diff options
| author | Raghavendra Bhat <raghavendra@redhat.com> | 2013-02-08 11:44:41 +0530 |
|---|---|---|
| committer | Vijay Bellur <vbellur@redhat.com> | 2013-03-04 23:44:04 -0800 |
| commit | b24003342eb707027982599a7bac485fe3b9f465 (patch) | |
| tree | e968205bfbf888c4d0e1709ccdbeecb2db763682 /xlators/protocol | |
| parent | cd4736baba8a60d007bff6ed633f9feba9862bfb (diff) | |
rpc: bring in root-squashing behavior in rpc
* requests coming in as root are converted to nfsnobody
* with open-behind some acl checks wont happen and nfsnobody
can read the file "whose owner is root and other users do not
have permission to read the file". This is becasue open-behind
does not send the open to the brick and sends success to the
application, thus the acl related tests on the file wont happen
which would have prevented the file from being opened.
Change-Id: I12a3e6b2a12884d00bb81f2779074fed09b1b2e4
BUG: 887145
Signed-off-by: Raghavendra Bhat <raghavendra@redhat.com>
Reviewed-on: http://review.gluster.org/4619
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'xlators/protocol')
| -rw-r--r-- | xlators/protocol/server/src/server.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 9e60febfb53..3a5f84b1dd8 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -993,6 +993,7 @@ reconfigure (xlator_t *this, dict_t *options) } (void) rpcsvc_set_allow_insecure (rpc_conf, options); + (void) rpcsvc_set_root_squash (rpc_conf, options); list_for_each_entry (listeners, &(rpc_conf->listeners), list) { if (listeners->trans != NULL) { if (listeners->trans->reconfigure ) @@ -1274,6 +1275,14 @@ struct volume_options options[] = { { .key = {"rpc-auth-allow-insecure"}, .type = GF_OPTION_TYPE_BOOL, }, + { .key = {"root-squash"}, + .type = GF_OPTION_TYPE_BOOL, + .default_value = "off", + .description = "Map requests from uid/gid 0 to the anonymous " + "uid/gid. Note that this does not apply to any other" + "uids or gids that might be equally sensitive, such as" + "user bin or group staff." + }, { .key = {"statedump-path"}, .type = GF_OPTION_TYPE_PATH, .default_value = DEFAULT_VAR_RUN_DIRECTORY, |