git: caa309c8811d - main - nfsd: Fix handling of credentials with cr_ngroups == 0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Oct 2024 22:50:24 UTC
The branch main has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=caa309c8811d62a24cd07e3a1f6e9095eaf10c90
commit caa309c8811d62a24cd07e3a1f6e9095eaf10c90
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2024-10-21 22:48:39 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2024-10-21 22:48:39 +0000
nfsd: Fix handling of credentials with cr_ngroups == 0
There has been a documented case in the exports(5) man
page forever, which specifies that the -maproot or -mapall
may have a single user entry, followed by a ':'.
This case is defined as specifying no groups (aka cr_ngroups == 0).
This patch fixes the NFS server so that it handles this case correctly.
After MFC'ng this patch to stable/13 and stable/14, I propose that
this unusual case be deprecated and no longer allowed in FreeBSD15.
At that point, this patch can be reverted.
Reviewed by: brooks
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D47204
---
sys/fs/nfsserver/nfs_nfsdsubs.c | 5 ++---
sys/kern/kern_prot.c | 7 +++++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c b/sys/fs/nfsserver/nfs_nfsdsubs.c
index d80826993f23..2fd877775c79 100644
--- a/sys/fs/nfsserver/nfs_nfsdsubs.c
+++ b/sys/fs/nfsserver/nfs_nfsdsubs.c
@@ -1620,7 +1620,7 @@ nfsrv_checkuidgid(struct nfsrv_descript *nd, struct nfsvattr *nvap)
if (nd->nd_cred->cr_uid == 0)
goto out;
if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid != nd->nd_cred->cr_uid) ||
- (NFSVNO_ISSETGID(nvap) && nvap->na_gid != nd->nd_cred->cr_gid &&
+ (NFSVNO_ISSETGID(nvap) &&
!groupmember(nvap->na_gid, nd->nd_cred)))
error = NFSERR_PERM;
@@ -1679,8 +1679,7 @@ nfsrv_fixattr(struct nfsrv_descript *nd, vnode_t vp,
}
if (NFSISSET_ATTRBIT(attrbitp, NFSATTRBIT_OWNERGROUP) &&
NFSVNO_ISSETGID(nvap)) {
- if (nvap->na_gid == nd->nd_cred->cr_gid ||
- groupmember(nvap->na_gid, nd->nd_cred)) {
+ if (groupmember(nvap->na_gid, nd->nd_cred)) {
nd->nd_cred->cr_uid = 0;
nva.na_gid = nvap->na_gid;
change++;
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 40cfa236a07d..95362ce8a310 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1310,6 +1310,13 @@ bool
groupmember(gid_t gid, struct ucred *cred)
{
+ /*
+ * The nfsd server can use a credential with zero groups in it
+ * when certain mapped export credentials are specified via exports(5).
+ */
+ if (cred->cr_ngroups == 0)
+ return (false);
+
if (gid == cred->cr_groups[0])
return (true);