small patch for /etc/rc.d/nfsd, bugfix or POLA violation?
Rick Macklem
rmacklem at uoguelph.ca
Sun Jul 9 19:57:28 UTC 2017
Hi,
The attached one line patch to /etc/rc.d/nfsd modifies the script so that it
does not force the nfsuserd to be run when nfsv4_server_enable is set.
(nfsuserd can still be enabled via nfsuserd_enable="YES" is /etc/rc.conf.)
Here's why I think this patch might be appropriate...
(a) - The original RFC for NFSv4 (RFC3530) essentially required Owners and
Owner_groups to be specified as <user>@<domain> and this required
the nfsuserd daemon to be running.
(b) - RFC7530, which replace RFC3530, allows a Owner/Owner_group string to be
the uid/gid number in a string when using AUTH_SYS. This simplifies configuration
for an all AUTH_SYS/POSIX environment (most NFS uses, I suspect?).
To make the server do (b), two things need to be done:
1 - set vfs.nfsd.enable_stringtouid=1
2 - set vfs.nfsd.enable_uidtostring=1 (for head, I don't know if it will be MFC'd?)
OR
- never run nfsuserd after booting (killing it off after it has been running is not
sufficient)
Given the above, it would seem that /etc/rc.d/nfsd should not force running of
the nfsuserd daemon, due to changes in the protocol.
However, this will result in a POLA violation, in that after the patch, nfsuserd won't
start when booting, unless nfsuserd_enable="YES" is added to /etc/rc.conf.
So, what do people think about this patch? rick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfsd-rcd.patch
Type: application/octet-stream
Size: 372 bytes
Desc: nfsd-rcd.patch
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20170709/47177755/attachment.obj>
More information about the freebsd-current
mailing list