[Bug 238725] Severe NFS exports(5) -maproot regression for :group definition

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238725

            Bug ID: 238725
           Summary: Severe NFS exports(5) -maproot regression for :group
                    definition
           Product: Base System
           Version: 12.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: bugzilla.freebsd at omnilan.de

Hello,

I've been using semi-sophisticated exports(5), last adjusted with FreeBSD-9 and
reused sucessfully on FreeBSD-10+11.
Recently I upgraded one machine From FreeBSD-11 to FreeBSD-12-stable and now
the ":group" definition of -maproot= in exports(5) has no effect anymore.

Here are the relevant infos for reproduction (NFSv4):
/zfs/netshares/deployment  -ro -maproot=65534:65533 -network 192.0.2.0/24
getent passwd 65534
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
getent group 65534
nobody:*:65534
This is verified to be identical on the 11 and 12 servers!


On the NFS server, cd into /zfs/netshares/deploymemt and:
mkdir test && touch test/testfile
setfacl -b test && chown root:nogroup test && chmod 750 test                    

On the client, issue as root: ls
/$nfsservermounpoint/zfs/netshares/deployment/test
Clients mounting from FreeBSD-12 tell "ls: .../deployment/test: Permission
denied"
Clients mounting from FreeBSD-11 list the "testfile".

The -maproot=user part works, but not the :group anymore.
This is also falsified using nfsv3 (with ESXi client).

Hope somebody has an idea which change could be the culprit.  Needless to say
that this was really unexpected and badly breaks a lot of things.

Thanks,
-harry

-- 
You are receiving this mail because:
You are the assignee for the bug.