It is hinted in the configuration files that an attacker could gain 
access to arbitrary folders by guessing symlink paths that match 
exported dirs, but this is not the case. They can get access to the root 
export with certainty by simply symlinking to "../../../../../../../", 
which will nearly* always return "/".

This is due to realpath() being called in the main thread which isn't 
chrooted, concatenating the result with the export root to create the 
export entry's final absolute path which the kernel then exports.

Also, a linker issue arose so I have added another small hack just to 
get it compiled correctly.


Christopher Bii (2):
   Exportfs changes - When a export rootdir is present, nfsd_realpath()
     wrapper is used to   avoid symlink exploits. - Removed
     canonicalization of rootdir paths. Export rootdir must now be   an
     absolute path. - Implemented nfsd_path.h
   Temporary fix for build issue for mount util.

  support/export/export.c     |  24 +--
  support/include/nfsd_path.h |   9 +-
  support/misc/nfsd_path.c    | 362 ++++++++++++------------------------
  support/nfs/exports.c       |  59 +++---
  utils/exportfs/exportfs.c   |   8 +-
  5 files changed, 170 insertions(+), 292 deletions(-)

-- 
2.47.1