Enable chown by non-root users over NFS
Rick Macklem
rmacklem at uoguelph.ca
Wed Feb 15 03:08:05 UTC 2012
John wrote:
> Hi Folks,
>
> We have a $NFS_FILESERVER we're trying to replace with a ZFS based
> system. Everything works quite well except for some processes which
> fail
> trying to give away ownership of a file.
>
> In this instance, $NFS_FILESERVER has a system level option,
> root_only_chown,
> which is disabled, which allows the chown ownership giveaways to work.
> (Yes, it's a security issue. No, I can't change the process). Note,
> this is
> not a maproot issue. Wrong rabbit hole :-)
>
> I've started poking through the code. Also thought I'd ask here if
> anyone has run into this issue and how they solved it, or if anyone
> has any suggestions. Feel free to tell me I'm missing something
> obvious
> also...
>
Well, at least for NFSv3 (NFSv4 has some further checks I'd have
to look at), this is allowed/not allowed by the underlying file system.
(I have no idea if ZFS can be changed easily to allow this?)
If ZFS only allows root to chown and you want to allow it, you
could hack nfsrvd_setattr() to use cred for root to do the nfsvno_setatt()
for this case.
nva2.na_uid is who owns the file before the setattr
nd->nd_cred->cr_uid is who is trying to do the chown
nva.na_uid != VNOVAL is what it is trying to change it to
You can
rootcred = newnfs_getcred(); /* get new root cred. */
NFSFREECRED(rootcred); /* to release them when done. */
For an NFSv3 specific change, you can put this stuff just
before/after nfsvno_setattr() for the "else" case, after all the
NFSv4 calls.
If you want the hack and can't figure out how to do it, I can
do it for you. Just email.
rick
> Thanks,
> John
>
>
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
More information about the freebsd-fs
mailing list