Projects: ASC/ICSI Linux NFSv4 Alpha Code Projects: ASC/ICSI Linux NFSv4 Alpha Code

The alpha code presented on this web page adds the following features to the NFSv4 linux implementation:

These features will eventually be added to the main stream kernel.

Update log

linux-2.6.18-rc5 Kernel patches

cp> NOTE: To compile, please select these kernel configuration features:

Apply these patches in order

nfs-utils patches

The latest all-in-one patch to nfs-utils-1.0.10 is nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2

Also available as separate patches with comments for developers.

Additional required patches applied after nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2

Usage notes

The full release of nfs-utils-1.0.10: nfs-utils-1.0.10.tar.gz (Also available from sourceforge)

Kerberos patches

A patch to add a new keyring credential cache type to MIT Kerberos can be found here:

If your distribution does not have a keyutils package, you can find it here. Note that the keyutils package needs to be installed prior to building Kerberos with the keyring credentials cache feature.

Be sure to check your client's /etc/gssapi_mech.conf libgssapi_krb5.so path to ensure it points to the new library.

Usage notes

After applying the patch, run ./src/util/reconf to regenerate configure files before building the code.

With the 20060920 and later patches, you must specify --enable-keyring-ccache to enable the keyring ccache code (and make it the default ccache type). (Note that pam and/or sshd often set the KRB5CCNAME environment variable which will override the default.)

In addition to "KEYRING:", you can also specify "KEYRING:process:" or "KEYRING:thread:". However, these are only useful in long-running processes or threads. Specifying this via KRB5CCNAME and then running kinit will cause the credentials to be created and they will immediately go away when kinit completes.

The Kerberos source code can be obtained from the MIT Distribution Page

Vulnerability Testing Tools

htools-20060831.tar.gz
htools-20060829.tar.gz (old)
htools-20060823.tar.gz (old)
htools.tar.gz (old)
These are the "hacker" tools, commonly used to demonstrate vulnerabilities in NFSv3. We are extending them to do the same in NFSv4. The tools work with auth_sys mounts but are completely defeated by auth_krb. See the Readme files for build and usage instructions.

newpynfs20060822.tar.gz
A client that can be used to send RPCs interactively, and some tests that enable uid/gid spoofing and fh probing.

mount
This is the standard linux mount command, extended to allow mounting by file handle. This is used to bypass the export security built in to the mount protocol (v3) or pseudo-fs traversal (v4).

filesnarf
This is a file sniffing tool from the dsniff test suite. It passively sniffs rpc traffic and reconstructs file contents. We have extended it to v4 and to display the contents in real time.

ACL and Security Testing Tools

acl-test-20060929.tar.gz
acl-test-20060922.tar.gz (old)
Test tools and scripts to demonstrate that acl and security identity works and is correctly configured.

nfs4-acl-tools-0.3.2.tar.gz (updated 2007-10-22)
Command-line tools nfs4_getfacl and nfs4_setfacl, as well as a GUI (Qt-based) ACL editor (see a screenshot). We're working on bugfixes and features; please direct any email to nfsv4@linux-nfs.org. Thanks.

Configuration Testing Tools

parser.py
A simple /etc/exports parser for configuration testing.

checkfacl.c
A simple acl parsing and testing tool.