projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Projects: ASC/ICSI Linux NFSv4 Alpha Code

The alpha code presented on this web page adds the following features to the NFSv4 linux implementation:

  • Client use of the kernel credential keyring
  • Client bug fix for referrals
  • Server exporting different security flavors per netgroup
These features will eventually be added to the main stream kernel.

Update log

  • Wed Aug 23 11:23:26 EDT 2006 Original code drop.
  • Wed Aug 23 16:36:26 EDT 2006 Update htools for filesnarf lookup/open
  • Tue Aug 29 16:12:43 EDT 2006 Update htools for mount nfs4 kernel patch
  • Wed Aug 30 15:02:42 EDT 2006 linux-2.6.18-rc5 kernel patches
  • Thu Aug 31 16:58:59 EDT 2006 Update htools for filesnarf tcp checksum and no-promiscuous
  • Tue Sep 5 16:03:02 EDT 2006 new linux-2.6.18-rc5 kernel patch - 2.6.18-rc5-referral-path-walk.patch
  • Mon Sep 18 15:24:34 EDT 2006 new linux-2.6.18-rc5 kernel patch - 2.6.18-rc5-nfsd-cross-mnt-error-fix.patch
  • Wed Sep 20 19:53:05 EDT 2006 new Kerberos keyring ccache patch
  • Sat Sep 23 19:02:56 EDT 2006 new nfs-utils patches
  • Fri Sep 29 17:11:27 EDT 2006 updated acl testing tool and new acl parser
  • Mon Oct 2 19:02:28 EDT 2006 Updated ACL commandline and GUI tools, added screenshot
  • Tue Oct 3 15:29:07 EDT 2006 Bugfixes in ACL tools
  • Thu Oct 19 12:00:53 EDT 2006 Common client credential cache, common upcall pipe, client and server SECINFO kernel patches
  • Thu Oct 19 12:00:53 EDT 2006 Keyring and common upcall nfs-utils patches
  • Fri Oct 20 16:15:16 EDT 2006 Kernel 2.6.18-rc5-rpc-common-auth-unix.patch and 2.6.18-rc5-rpc-common-credcache-fix.patch
  • Tue Oct 24 19:24:14 EDT 2006 Updated ACL tools: working build scripts, "nfs4_editfacl", bit more documentation
  • Wed Oct 25 16:20:28 EDT 2006 Updated ACL tools: include workaround for Qt. 4.2.1 API bug in GUI tool
  • Thu Oct 26 18:56:09 EDT 2006 Updated ACL tools: fixed contextual menu integration for KDE and GNOME
  • Wed Nov 15 15:47:43 EST 2006 Updated ACL tools: big changes to nfs4_setfacl, better file dialog in nfs4-acl-editor
  • Wed Feb 28 00:53:45 EST 2007 Updated ACL tools: version 0.3.0 (includes manpages, bugfixes; see CHANGELOG)
  • Thu Mar 8 13:55:59 EST 2007 Updated ACL tools: version 0.3.1 (documentation and build fixes; no new features)
  • Mon Oct 22 18:21:29 EDT 2007 Updated ACL tools: version 0.3.2 (set ACL recursively on dir tree; permissions "aliases")

linux-2.6.18-rc5 Kernel patches

cp> NOTE: To compile, please select these kernel configuration features:
  • "Security options->Enable access key retention support"
  • "File systems->Network File Systems->Secure RPC Keyring Support (EXPERIMENTAL)"

Apply these patches in order

nfs-utils patches

The latest all-in-one patch to nfs-utils-1.0.10 is nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2

Also available as separate patches with comments for developers.

Additional required patches applied after nfs-utils-1.0.10-asci-CITI_NFS4_ALL-2

Usage notes

  • You must use "--enable-mount" when configuring nfs-utils because the mount program within nfs-utils is not yet built by default.
  • The Kerberos patch is not necessary for basic user access to work. However, access on a thread- or process-level requires the thread- or process- level Kerberos credentials cache. The mount program uses process-level credentials.
  • utils/mount/mount.nfs has been modified to obtain Kerberos credentials for a krb5[ip] mount. This mount pgm must be used, otherwise gssd will not find credentials to negotiate a context for the mount.
    % ../utils/mount/mount.nfs /mntpath -t nfs4 -o sec=krb5
  • Users must currently run utils/gssd/nfslogin in order to tell gssd where their credentials are in order to successfully access filesystems mounted with Kerberos. It is assumed that the pam module will be modified to make the necessary call to do this automatically upon login.
    % kinit
    % ../utils/gssd/nfslogin
  • The /etc/exports file can take some new options: sec= and refer=.
    To give everyone read access, and kerberos users read/write access:
    /export *(fsid=0,no_subtree_check,nohide,insecure,sync,sec=sys,ro,sec=krb5:krb5i:krb5p,rw)
    (Note the sec= option currently affects only the ro and rw options.)

    To enable a referral:

    /export/fsloc *,no_subtree_check,nohide,insecure,refer=/build@,sync)
  • Our SECINFO implementation requires that each export under the server pseudo-filesystem that has different security have a unique fsid. So, if a server exports multiple directories from the same partition, the export option fisd=X must be used.
  • Our SECINFO implementation also requires that the server pseudofilesystem root exports the union of the security flavors of its leafs.

The full release of nfs-utils-1.0.10: nfs-utils-1.0.10.tar.gz (Also available from sourceforge)

Kerberos patches

A patch to add a new keyring credential cache type to MIT Kerberos can be found here:

If your distribution does not have a keyutils package, you can find it here. Note that the keyutils package needs to be installed prior to building Kerberos with the keyring credentials cache feature.

Be sure to check your client's /etc/gssapi_mech.conf path to ensure it points to the new library.

Usage notes

After applying the patch, run ./src/util/reconf to regenerate configure files before building the code.

With the 20060920 and later patches, you must specify --enable-keyring-ccache to enable the keyring ccache code (and make it the default ccache type). (Note that pam and/or sshd often set the KRB5CCNAME environment variable which will override the default.)

In addition to "KEYRING:", you can also specify "KEYRING:process:" or "KEYRING:thread:". However, these are only useful in long-running processes or threads. Specifying this via KRB5CCNAME and then running kinit will cause the credentials to be created and they will immediately go away when kinit completes.

The Kerberos source code can be obtained from the MIT Distribution Page

Vulnerability Testing Tools

htools-20060829.tar.gz (old)
htools-20060823.tar.gz (old)
htools.tar.gz (old)
These are the "hacker" tools, commonly used to demonstrate vulnerabilities in NFSv3. We are extending them to do the same in NFSv4. The tools work with auth_sys mounts but are completely defeated by auth_krb. See the Readme files for build and usage instructions.

A client that can be used to send RPCs interactively, and some tests that enable uid/gid spoofing and fh probing.

This is the standard linux mount command, extended to allow mounting by file handle. This is used to bypass the export security built in to the mount protocol (v3) or pseudo-fs traversal (v4).

This is a file sniffing tool from the dsniff test suite. It passively sniffs rpc traffic and reconstructs file contents. We have extended it to v4 and to display the contents in real time.

ACL and Security Testing Tools

acl-test-20060922.tar.gz (old)
Test tools and scripts to demonstrate that acl and security identity works and is correctly configured.

nfs4-acl-tools-0.3.2.tar.gz (updated 2007-10-22)
Command-line tools nfs4_getfacl and nfs4_setfacl, as well as a GUI (Qt-based) ACL editor (see a screenshot). We're working on bugfixes and features; please direct any email to Thanks.

Configuration Testing Tools
A simple /etc/exports parser for configuration testing.

A simple acl parsing and testing tool. projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan