[Bug 202659] rpcsec_gss has a 16-group limit

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Aug 25 18:36:26 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202659

            Bug ID: 202659
           Summary: rpcsec_gss has a 16-group limit
           Product: Base System
           Version: 10.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: matthew.l.dailey at dartmouth.edu

Created attachment 160354
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=160354&action=edit
Patch for svc_rpcsec_gss to switch from RPCAUTH_UNIXGIDS to NGROUPS

System: FreeBSD freebsd-test 10.2-RELEASE FreeBSD 10.2-RELEASE #1: Fri Aug 21
11:12:07 EDT 2015    
root at freebsd-test.thayer.dartmouth.edu:/usr/obj/usr/src/sys/GENERIC_GSS  amd64
I have observed this issue as far back as 9.1-RELEASE.

Overview:
The kernel code for svc_rpcsec_gss and the userspace code for gssd implement a
16-group limit for users.

Steps to reproduce:
The first step is to have a working FreeBSD nfs4 server tied into a kerberos
infrastructure and exporting directories with one of the krb5 security flavors 
The FreeBSD nfs4 server requires a kernel built with:
options         KGSSAPI
device          crypto

Here is the simple /etc/exports on the server:
V4: /exports -sec=krb5:krb5i
/exports -sec=krb5

Add a user to more than 16 groups on the nfs4 server:
# groups testuser
staff group1 group2 group3 group4 group5 group6 group7 group8 group9 group10
group11 group12 group13 group14 group15 group16

Set permissions on an exported directory for the 17th or higher group
# ls -ld /exports/group16
drwxrwxr-x  2 root  group16  3 Aug 21 13:08 /exports/group16

Try to access this directory as this user from a remote client
# mount -t nfs4 -osec=krb5,nosuid freebsd-test:/ /mnt/exports
$ touch /mnt/exports/group16/testfile
touch: cannot touch `/mnt/exports/group16/testfile`: Permission denied

Directories with permissions for the 16th and under groups work:
server# ls -ld /exports/group15
drwxrwxr-x  2 root  group15  3 Aug 21 10:29 /exports/group15
client$ touch /mnt/exports/group15/testfile
client$ ls -al /mnt/exports/group15/testfile
-rw-r--r-- 1 testuser group15 0 Aug 21 10:29 /mnt/exports/group15/testfile

Problem description:
This problem appears to come from defines in both
sys/rpc/rpcsec_gss/svc_rpcsec_gss.c and usr.sbin/gssd/gssd.c

In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the group limit is defined using
RPCAUTH_UNIXGIDS. It looks like this may have originally come from
sys/fs/nfs/rpc2.h, but I don't think this is included by the code, so
RPCAUTH_UNIXGIDS is defined locally.

In usr.sbin/gssd/gssd.c, the group limit is defined using NGRPS. This comes
ultimately from sys/rpc/auth_unix.h, which is included in gssd.c from
sys/rpc/rpc.h.

Proposed solution:
In both cases, I would propose that this be fixed by using the NGROUPS
definition from sys/sys/param.h instead of the existing definitions. This will
not only lift the current 16-group limit, but allow the code to track future
increases in this value.

There was previously a buffer issue in gssd that prevented this increase, but
this was fixed in May 2013 in base r250176.

We have been running a production system (originally 9.1-RELEASE, upgraded to
9.3-RELEASE in March 2015) where I raised the limit in both svc_rpcsec_gss.c
and gssd.c to 256 groups. This has been running since May 2013 without any
problems. I have also tested these exact patches on a 10.2-RELEASE system, and
experienced no problems in limited testing.

Attached are my proposed patches. Please let me know if you have any questions
or need any other information about these patches.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list