[jira] [Updated] (HDFS-6439) NFS should not reject NFS requests to the NULL procedure whether port monitoring is enabled or not

Thu, 22 May 2014 15:59:24 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-6439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brandon Li updated HDFS-6439:
-----------------------------

    Attachment: linux-nfs-disallow-request-from-nonsecure-port.pcapng

By default Linux NFS server denies request from nonsecure port. I've collected 
the network trace while I tried to mount a Linux export from a MacOS NFS 
client.  Since MacOS NFS client uses nonsecure port by default, the mount 
request failed with error "Operation not permitted". 

I've uploaded the trace file 
linux-nfs-disallow-request-from-nonsecure-port.pcapng. From wiresharek(filter 
"rpc"), we can see the NFS GETATTR request failed with NFS3ERR_PERM.

To have the same behavior, we can add one more check in 
RpcProgramNfs3#checkAccessPrivilege: if request is from non-secureport and port 
monitoring is enabled, we return false. This change requires 
ChannelHandlerContext to be passed from handleInternal() to each request 
handler such as read()/write()/getattr()....




> NFS should not reject NFS requests to the NULL procedure whether port 
> monitoring is enabled or not
> --------------------------------------------------------------------------------------------------
>
>                 Key: HDFS-6439
>                 URL: https://issues.apache.org/jira/browse/HDFS-6439
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.4.0
>            Reporter: Brandon Li
>            Assignee: Aaron T. Myers
>         Attachments: HDFS-6439.patch, HDFS-6439.patch, 
> linux-nfs-disallow-request-from-nonsecure-port.pcapng, 
> mount-nfs-requests.pcapng
>
>
> As discussed in HDFS-6406, this JIRA is to track the follow update:
> 1. Port monitoring is the feature name with traditional NFS server and we may 
> want to make the config property (along with related variable 
> allowInsecurePorts) something as dfs.nfs.port.monitoring. 
> 2 . According to RFC2623 (http://www.rfc-editor.org/rfc/rfc2623.txt):
> {quote}    Whether port monitoring is enabled or not, NFS servers SHOULD NOT 
> reject NFS requests to the NULL procedure (procedure number 0). See 
> subsection 2.3.1, "NULL procedure" for a complete explanation. {quote}
> I do notice that NFS clients (most time) send mount NULL and nfs NULL from 
> non-privileged port. If we deny NULL call in mountd or nfs server, the client 
> can't mount the export even as user root.
> 3. it would be nice to have the user guide updated for the port monitoring 
> feature.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to