[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Marcelo Araujo araujobsdport at gmail.com
Tue Oct 14 10:46:28 UTC 2014 

Hello Blot,

The patch looks reasonable.
As per the email thread, seems a good approach to overcome this issue, at
least for now.

If Rick has no objection and no free time, I can commit the patch during
this week.

Best Regards,

2014-10-14 18:34 GMT+08:00 Loïc Blot <loic.blot at unix-experience.fr>:

> Hi,
>  since a recent problem (see thread NFSv4 nobody issue), i think we need a
> sysctl variable to disable nobody and nogroup check into the kernel
> (default enabled)
>  This variable is useful in some situations, like TFTP over NFS, jails
> over NFS (some files like /var/db/locate.database need nobody user).
>
>  I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupcheck to
> modify NFSv4 nobody/nogroup check.
>
>  Thanks to Rick to tell me where the problem was.
>
>  Can you review the patch, and add it to kernel to avoid previous
> mentionned issue.
>
>  Here is my patch:
>
>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14 12:03:50.163311506
> +0200
>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14 12:06:29.793304755 +0200
>  @@ -62,9 +62,18 @@
>   SYSCTL_DECL(_vfs_nfsd);
>
>   static int    disable_checkutf8 = 0;
>  +static int    disable_nobodycheck = 0;
>  +static int    disable_nogroupcheck = 0;
>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>       &disable_checkutf8, 0,
>       "Disable the NFSv4 check for a UTF8 compliant name");
>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>  +    &disable_nobodycheck, 0,
>  +    "Disable the NFSv4 check when setting user nobody as owner");
>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
>  +    &disable_nogroupcheck, 0,
>  +    "Disable the NFSv4 check when setting group nogroup as owner");
>  +
>
>   static char nfsrv_hexdigit(char, int *);
>
>  @@ -1543,8 +1552,8 @@
>        */
>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>           goto out;
>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid)
>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid)) {
>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid &&
> disable_nobodycheck == 0)
>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid &&
> disable_nogroupcheck == 0)) {
>           error = NFSERR_BADOWNER;
>           goto out;
>       }
>  Regards,
>
>  Loïc Blot,
>  UNIX Systems, Network and Security Engineer
>  http://www.unix-experience.fr
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"




-- 

-- 
Marcelo Araujo            (__)araujo at FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)

More information about the freebsd-fs mailing list