[PATCH] disable nfsd (NFSv4) nobody/nogroup check
Marcelo Araujo
araujobsdport at gmail.com
Tue Oct 14 10:46:28 UTC 2014
Hello Blot,
The patch looks reasonable.
As per the email thread, seems a good approach to overcome this issue, at
least for now.
If Rick has no objection and no free time, I can commit the patch during
this week.
Best Regards,
2014-10-14 18:34 GMT+08:00 Loïc Blot <loic.blot at unix-experience.fr>:
> Hi,
> since a recent problem (see thread NFSv4 nobody issue), i think we need a
> sysctl variable to disable nobody and nogroup check into the kernel
> (default enabled)
> This variable is useful in some situations, like TFTP over NFS, jails
> over NFS (some files like /var/db/locate.database need nobody user).
>
> I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupcheck to
> modify NFSv4 nobody/nogroup check.
>
> Thanks to Rick to tell me where the problem was.
>
> Can you review the patch, and add it to kernel to avoid previous
> mentionned issue.
>
> Here is my patch:
>
> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 12:03:50.163311506
> +0200
> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 12:06:29.793304755 +0200
> @@ -62,9 +62,18 @@
> SYSCTL_DECL(_vfs_nfsd);
>
> static int disable_checkutf8 = 0;
> +static int disable_nobodycheck = 0;
> +static int disable_nogroupcheck = 0;
> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> &disable_checkutf8, 0,
> "Disable the NFSv4 check for a UTF8 compliant name");
> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> + &disable_nobodycheck, 0,
> + "Disable the NFSv4 check when setting user nobody as owner");
> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> + &disable_nogroupcheck, 0,
> + "Disable the NFSv4 check when setting group nogroup as owner");
> +
>
> static char nfsrv_hexdigit(char, int *);
>
> @@ -1543,8 +1552,8 @@
> */
> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> goto out;
> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid)
> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid)) {
> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid &&
> disable_nobodycheck == 0)
> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid &&
> disable_nogroupcheck == 0)) {
> error = NFSERR_BADOWNER;
> goto out;
> }
> Regards,
>
> Loïc Blot,
> UNIX Systems, Network and Security Engineer
> http://www.unix-experience.fr
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
--
--
Marcelo Araujo (__)araujo at FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
Power To Server. .\. /_)
More information about the freebsd-fs
mailing list